NSS [NUSTCTF 2022 Freshman Competition]Ezjava1

NSS [NUSTCTF 2022 Freshman Competition]Ezjava1

Question description: Can you get flag{1}

To open the topic, take a look at java web index.jsp.

index.jspThe default content bodyis$END$

The attached jar package is imported into IDEA and will be automatically decompiled. Take a look at the source code.

The attachment structure is roughly the same. Just classes.com.joe1snfocus on the code.

HelloController.class content is as follows

package com.joe1sn.controller;
import ...

@Controller
public class HelloController {
    
    
    public HelloController() {
    
    
    }

    @RequestMapping({
    
    "/hello"})
    public ModelAndView handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
    
    
        ModelAndView mav = new ModelAndView("index");
        mav.addObject("message", "Do you know \"beans\"?");
        return mav;
    }

    @PostMapping({
    
    "/index"})
    public void postIndex(@ModelAttribute EvalBean evalBean, Model model) {
    
    
        System.out.println("@POST Called");
    }

    @GetMapping({
    
    "/index"})
    public void getIndex(@ModelAttribute EvalBean evalBean, Model model) {
    
    
        System.out.println("@GET Called");
    }

    @RequestMapping({
    
    "/addUser1"})
    @ResponseBody
    public String addUser(User user) throws IOException {
    
    
        System.out.println(user.getDepartment().getName1());
        if (user.getDepartment().getName1().contains("njust") && user.getName().contains("2022")) {
    
    
            return "flag{1}";
        } else {
    
    
            String var10002 = user.getDepartment().getName1();
            File f = new File("../webapps/ROOT/" + var10002 + user.getName() + ".njust.jsp");
            return f.exists() ? "flag{2}" : user.getName();
        }
    }
}

According to the title description, our goal is to get flag{1}, so the core code is:

if (user.getDepartment().getName1().contains("njust") && user.getName().contains("2022")) {
    
    
            return "flag{1}";
}

Analyzing conditions:

Call the getDepartment method in the user object and then call the getName1 method in the Department class, and then determine whether the result after the call is equal to or contains "njust"

Call the getName method in the user object, and then determine whether the result is equal to or contains "2022"

After taking a look at the Userclasses, Departmentclasses, and getxxx()methods, the last thing returned was this.xxx(user.xxx). So the above requirements are:

User.department.name1        等于或包含”njust”
User.name                    等于或包含”2022”

The attributes of the User class should be passed in directly through GET/POST.

Since there is no GET or POST submission specified here, both will work. Note that routing is /addUser1.

payload：

/addUser1?department.name1=xxxnjustxxx&name=xxx2022xxx