首页 比赛wp

解题情况

fix:3/4

brokenscanner-fix

网站

1
2
module_waf=["xss_scan.HtmlXssScan","sqli_scan.UnionSqliScan.MySQLScan","sqli_scan.UnionSqliScan.MsSQLScan","xss_scan.JsXssScan"]
pos_waf=[["param"],["param","body","json"],["param","body"],["body","json"],["param","json"],["body"],["json"]]

这些是module和pos的所有可选择变量,我们只需要将这两个变量锁死在这两个数组即可(也就是白名单)。
所以在main.py的文件加上白名单,具体如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
flag_m=0
flag_p=0
module_waf=["xss_scan.HtmlXssScan","sqli_scan.UnionSqliScan.MySQLScan","sqli_scan.UnionSqliScan.MsSQLScan","xss_scan.JsXssScan"]
pos_waf=[["param"],["param","body","json"],["param","body"],["body","json"],["param","json"],["body"],["json"]]
for modules in module_waf:
    if module==modules:
        flag_m==1
if flag_m == 0:
    module ==''
for poss in pos_waf:
    if pos==poss:
        flag_p=1
if flag_p == 0:
    pos=''

然后写个sh打包上传即可

CrazyData-fix

src\jsonrpclib\SimpleJSONRPCServer.py文件里的漏洞,data是可控变量,只需要加个waf即可,下面是修改后的代码:

1
2
3
4
5
data = ''.join(L)
blacklists = ["print","cat","flag","nc","bash","sh","curl","{{","}},""wget","ash","session","class","subclasses","for","popen","args","{%","%}"]
for i in blacklists:
    if i in data:
        data=" "

然后写个sh打包上传即可

fury-fix

apicontroller.class有个反序列化漏洞,写个白名单,把person的实例固定成Person类即可。
以下是漏洞源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public String api(@RequestParam(value = "apistr",required = false,defaultValue = "") String apistr, Model model) {
        if (apistr.equals("")) {
            model.addAttribute("msg", "{ \"id\": 1, \"name\": \"admin\", \"age\": 21, \"phone\": \"13300000000\" }");
        } else {
            try {
                Fury fury = Fury.builder().withLanguage(Language.JAVA).requireClassRegistration(false).build();
                byte[] decode = Base64.getDecoder().decode(apistr);
                Object person = fury.deserialize(decode);
                JSONObject entries = JSONUtil.parseObj(person);
                model.addAttribute("msg", entries.toString());
            } catch (Exception var7) {
                model.addAttribute("msg", "error apistr");
            }
        }

        return "index";
}

上面的person黑客可以控制,加个白名单把他固定成Person类即可,下面是补丁,加到Object person…下面那行即可

1
2
3
4
String personbyte=person.getClass().getName();
if(personbyte!="com.fury.Bean.Person"){
    person=" ";
}
更新于

请我喝[茶]~( ̄▽ ̄)~*

Nebu1ea 微信支付

微信支付

Nebu1ea 支付宝

支付宝

Nebu1ea 贝宝

贝宝