NSS [NUSTCTF 2022 Freshman Competition]Ezjava1
Question description: Can you get flag{1}
To open the topic, take a look at java web index.jsp
.
index.jsp
The default content body
is$END$
The attached jar package is imported into IDEA and will be automatically decompiled. Take a look at the source code.
The attachment structure is roughly the same. Just classes.com.joe1sn
focus on the code.
HelloController.class content is as follows
package com.joe1sn.controller;
import ...
@Controller
public class HelloController {
public HelloController() {
}
@RequestMapping({
"/hello"})
public ModelAndView handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
ModelAndView mav = new ModelAndView("index");
mav.addObject("message", "Do you know \"beans\"?");
return mav;
}
@PostMapping({
"/index"})
public void postIndex(@ModelAttribute EvalBean evalBean, Model model) {
System.out.println("@POST Called");
}
@GetMapping({
"/index"})
public void getIndex(@ModelAttribute EvalBean evalBean, Model model) {
System.out.println("@GET Called");
}
@RequestMapping({
"/addUser1"})
@ResponseBody
public String addUser(User user) throws IOException {
System.out.println(user.getDepartment().getName1());
if (user.getDepartment().getName1().contains("njust") && user.getName().contains("2022")) {
return "flag{1}";
} else {
String var10002 = user.getDepartment().getName1();
File f = new File("../webapps/ROOT/" + var10002 + user.getName() + ".njust.jsp");
return f.exists() ? "flag{2}" : user.getName();
}
}
}
According to the title description, our goal is to get flag{1}, so the core code is:
if (user.getDepartment().getName1().contains("njust") && user.getName().contains("2022")) {
return "flag{1}";
}
Analyzing conditions:
Call the getDepartment method in the user object and then call the getName1 method in the Department class, and then determine whether the result after the call is equal to or contains "njust"
Call the getName method in the user object, and then determine whether the result is equal to or contains "2022"
After taking a look at the User
classes, Department
classes, and getxxx()
methods, the last thing returned was this.xxx
(user.xxx). So the above requirements are:
User.department.name1 等于或包含”njust”
User.name 等于或包含”2022”
The attributes of the User class should be passed in directly through GET/POST.
Since there is no GET or POST submission specified here, both will work. Note that routing is /addUser1
.
payload:
/addUser1?department.name1=xxxnjustxxx&name=xxx2022xxx