type
status
date
slug
summary
tags
category
icon
password
前言
实力吐槽这次比赛
- 初赛环境老是炸,最后30多分钟都炸了,答案都提交不了
- 晋级塞,,题目也偶尔会出现断开的问题,,第二个web题,,竟然一开始直接返回空,后来又可以了??不知道是不是只有我遇到这个问题,,晕
- 而且,,晋级赛竟然不是uuid式动态flag。。。。?
old
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F71b7c70a-06fe-434e-a4ce-b56a707a151e%2FUntitled.png?table=block&id=44fbf1df-b275-47b6-80c0-750989a5f6cf&t=44fbf1df-b275-47b6-80c0-750989a5f6cf&width=1500&cache=v2)
任意文件读取,不过
flag.txt
读不了,但可以看 hint.txt
,smali
字节码,提示了 fastjson 1.2.24
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F6efbafa5-1c83-4737-9548-87fc15a37a10%2FUntitled.png?table=block&id=aa9dbf84-79b7-4bff-8fa3-9cb44fbc27d4&t=aa9dbf84-79b7-4bff-8fa3-9cb44fbc27d4&width=1500&cache=v2)
先读取本进程相关目录
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F2da5be83-aa55-4cf3-80d8-3ee766351dcd%2FUntitled.png?table=block&id=9a26050a-9ca7-4b36-bd88-ca96dffc2df3&t=9a26050a-9ca7-4b36-bd88-ca96dffc2df3&width=1500&cache=v2)
在
/usr/local/run/start.jar
获取源码,IDEA
打开分析![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F2ae73702-2a4f-4f3b-8626-88029b0fa213%2FUntitled.png?table=block&id=a322347e-918c-4026-91b1-db06b63bb8dd&t=a322347e-918c-4026-91b1-db06b63bb8dd&width=1500&cache=v2)
原来过滤了
flag
,怪不得读取不了往反序列化方向,不过有
waf
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff5a5cc18-1dc7-457b-9073-fd8e47131368%2FUntitled.png?table=block&id=522d3232-1b2b-4dba-bd3c-7b200a41b8bc&t=522d3232-1b2b-4dba-bd3c-7b200a41b8bc&width=1500&cache=v2)
然后还有限制
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F3b643ea3-a3dc-43e6-b028-f35710e6ab6e%2FUntitled.png?table=block&id=82eea7c4-b7a2-49f5-b182-13d5744aa920&t=82eea7c4-b7a2-49f5-b182-13d5744aa920&width=1500&cache=v2)
这里卡了挺久,试了网上很多EXP,都不行
然后突然想起fastjson反序列化的原理
一般是需要别的库的配合,通过反射获取相关方法的
于是我一个个依赖找
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F56acb50e-88ab-4256-9d57-13c77a9d280d%2FUntitled.png?table=block&id=48b383e7-dc91-4f1b-b390-bc62e1d4a262&t=48b383e7-dc91-4f1b-b390-bc62e1d4a262&width=1500&cache=v2)
搜了下 spring ,没有相关漏洞,但是在
tomcat dbcp
里刚好发现了可以利用,而且不用利用 rmi ldap
之类的然后刚好用到
BCEL
,HFCTF2021也刚好用到, 刚好复现过了,所以非常熟练 (编写
java poc
,转换为 class
然后生成 BCEL
码这样可以
绕过waf的黑名单
,即绕过了第1个challenge
还有2个
challenge
,这个简单,就长度大于2000
,然后需要包含 flag
关键字这里直接把
/flag.txt
改一下名读取即可![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F9d33d872-65d5-4c77-bca5-d400c8a8898c%2FUntitled.png?table=block&id=72ed1e05-5897-4ec3-8a8b-d9d15f90ee1a&t=72ed1e05-5897-4ec3-8a8b-d9d15f90ee1a&width=1500&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F28d80008-9e94-4934-8d7c-f57c0a0000fc%2FUntitled.png?table=block&id=22402dab-75ca-4f1d-a056-0e23473d9988&t=22402dab-75ca-4f1d-a056-0e23473d9988&width=1500&cache=v2)
try_js
审计源码
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F299acc86-de62-4cfa-9683-eb1308e522de%2FUntitled.png?table=block&id=cc8389ad-cd6c-473a-9a8b-ece7a29dfd51&t=cc8389ad-cd6c-473a-9a8b-ece7a29dfd51&width=1500&cache=v2)
你要
merge
,那我可就不困了,明显的原型连污染污染一下原型
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa23f0e78-7f75-417a-9989-fec2e21bd334%2FUntitled.png?table=block&id=78e6a371-2f96-4d1b-9dea-217cbca220ec&t=78e6a371-2f96-4d1b-9dea-217cbca220ec&width=1500&cache=v2)
即可成功登录
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe51bd174-68c9-4e65-af8a-d731fbd3b12a%2FUntitled.png?table=block&id=d0db5405-3019-48de-9f3d-f4436fb08aef&t=d0db5405-3019-48de-9f3d-f4436fb08aef&width=1500&cache=v2)
接下来,就没有然后了,,
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fb9aadd78-9886-4dd5-b0e5-a58b48222076%2FUntitled.png?table=block&id=299c02c8-c131-4043-b629-cf7fec178953&t=299c02c8-c131-4043-b629-cf7fec178953&width=1500&cache=v2)
除了输入黑名单以外的东西,都是直接断开连接,晕
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff7db1bcf-dad6-480c-9239-bc33a5201274%2FUntitled.png?table=block&id=2f87250f-22b9-4c94-83a1-2d10d76a4c76&t=2f87250f-22b9-4c94-83a1-2d10d76a4c76&width=1500&cache=v2)
emm 快结束了,,环境就可以了???
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F3c2ed9ed-46d6-4f85-b170-685a98418183%2FUntitled.png?table=block&id=61bcb4c0-b200-474c-bbf8-b60afe749c55&t=61bcb4c0-b200-474c-bbf8-b60afe749c55&width=1500&cache=v2)
先
fuzz
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F02800163-5e66-4289-a5b3-56da4e00b67b%2FUntitled.png?table=block&id=f4cb5926-7dcd-479e-997f-2f7c6e69cc56&t=f4cb5926-7dcd-479e-997f-2f7c6e69cc56&width=1500&cache=v2)
.DS_Store
是mac
的备份文件,有的小伙伴应该遇到过,就解压了mac
的压缩包,莫名其妙多了这个文件通过
shellme.php
得知 flag
在 /var/www/flag
然后通过
y0u_w1ll_s3e_Me.txt
知道源码也就是
y0u_w1ll_s3e_Me.php
的源码就反序列化,,亿下,,就可以了,但时间不够了,,晕