[NUSTCTF 2022 新生赛]Ezjava1
初识java审计
题目描述:你能获取flag{1}吗
- 题目给出源代码附件,导入到idea查看,是一个典型的spring MVC架构项目
- 重点看controller里的类
Department:
点击查看代码
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package com.joe1sn.controller;
public class Department {
private String name1;
public String getName1() {
return this.name1;
}
public void setName1(String name1) {
this.name1 = name1;
}
}
点击查看代码
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package com.joe1sn.controller;
import com.joe1sn.module.EvalBean;
import java.io.File;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class HelloController {
@RequestMapping({"/hello"})
public ModelAndView handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
ModelAndView mav = new ModelAndView("index");
mav.addObject("message", "Do you know \"beans\"?");
return mav;
}
@PostMapping({"/index"})
public void postIndex(@ModelAttribute EvalBean evalBean, Model model) {
System.out.println("@POST Called");
}
@GetMapping({"/index"})
public void getIndex(@ModelAttribute EvalBean evalBean, Model model) {
System.out.println("@GET Called");
}
@RequestMapping({"/addUser1"})
@ResponseBody
public String addUser(User user) throws IOException {
System.out.println(user.getDepartment().getName1());
if (user.getDepartment().getName1().contains("njust") && user.getName().contains("2022")) {
return "flag{1}";
} else {
String var10002 = user.getDepartment().getName1();
File f = new File("../webapps/ROOT/" + var10002 + user.getName() + ".njust.jsp");
return f.exists() ? "flag{2}" : user.getName();
}
}
}
点击查看代码
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package com.joe1sn.controller;
public class User {
private String name;
private Department department;
public String getName() {
return this.name;
}
public void setName(String name) {
this.name = name;
}
public Department getDepartment() {
return this.department;
}
public void setDepartment(Department department) {
this.department = department;
}
}
@RequestMapping({"/addUser1"})
@ResponseBody
public String addUser(User user) throws IOException {
System.out.println(user.getDepartment().getName1());
if (user.getDepartment().getName1().contains("njust") && user.getName().contains("2022")) {
return "flag{1}";
} else {
String var10002 = user.getDepartment().getName1();
File f = new File("../webapps/ROOT/" + var10002 + user.getName() + ".njust.jsp");
return f.exists() ? "flag{2}" : user.getName();
}
根据代码,调用了user对象的getDepartment()方法获取了Department类,再调用Department类中的getName1()方法获取name1属性,判断该属性值是否包含njust这个字符串;同时调用user对象的getName()方法获取name属性,判断是否包含2022字符串
if (user.getDepartment().getName1().contains("njust") && user.getName().contains("2022")) {
return "flag{1}";
构造payload:
/addUser1?department.name1=njust&name=2022
得到flag
有关SpringMVC参数绑定的内容可参考https://paper.seebug.org/1877/#11-springmvc
浙公网安备 33010602011771号