Writeup

这是一个含有非常多危险依赖的题，如下： 1 <dependencies> 2 3 <!-- AOP / Aspect --> 4 <dependency> 5 <groupId>org.glassfish.hk2.external</groupId> 6 <artifactId>aopalliance-repackaged</artifactId> 7 <version>2.6.1</version> 8 </dependency> 9 10 <dependency> 11 <groupId>org.aspectj</groupId> 12 <artifactId>aspectjweaver</artifactId> 13 <version>1.9.2</version> 14 </dependency> 15 16 <!-- Oracle Coherence --> 17 <dependency> 18 <groupId>com.oracle.coherence.ce</groupId> 19 <artifactId>coherence</artifactId> 20 <version>14.1.1-0-3</version> 21 </dependency> 22 23 <dependency> 24 <groupId>com.oracle.coherence.ce</groupId> 25 <artifactId>coherence-rest</artifactId> 26 <version>14.1.1-0-3</version> 27 </dependency> 28 29 <!-- Commons --> 30 <dependency> 31 <groupId>commons-beanutils</groupId> 32 <artifactId>commons-beanutils</artifactId> 33 <version>1.9.2</version> 34 </dependency> 35 36 <dependency> 37 <groupId>commons-collections</groupId> 38 <artifactId>commons-collections</artifactId> 39 <version>3.2.1</version> 40 </dependency> 41 42 <dependency> 43 <groupId>org.apache.commons</groupId> 44 <artifactId>commons-collections4</artifactId> 45 <version>4.0</version> 46 </dependency> 47 48 <dependency> 49 <groupId>commons-logging</groupId> 50 <artifactId>commons-logging</artifactId> 51 <version>1.2</version> 52 </dependency> 53 54 <!-- Groovy --> 55 <dependency> 56 <groupId>org.codehaus.groovy</groupId> 57 <artifactId>groovy</artifactId> 58 <version>2.3.9</version> 59 </dependency> 60 61 <!-- HK2 --> 62 <dependency> 63 <groupId>org.glassfish.hk2</groupId> 64 <artifactId>hk2-api</artifactId> 65 <version>2.6.1</version> 66 </dependency> 67 68 <dependency> 69 <groupId>org.glassfish.hk2</groupId> 70 <artifactId>hk2-locator</artifactId> 71 <version>2.6.1</version> 72 </dependency> 73 74 <dependency> 75 <groupId>org.glassfish.hk2</groupId> 76 <artifactId>hk2-utils</artifactId> 77 <version>2.6.1</version> 78 </dependency> 79 80 <!-- Jackson --> 81 <dependency> 82 <groupId>com.fasterxml.jackson.core</groupId> 83 <artifactId>jackson-annotations</artifactId> 84 <version>2.13.4</version> 85 </dependency> 86 87 <dependency> 88 <groupId>com.fasterxml.jackson.core</groupId> 89 <artifactId>jackson-core</artifactId> 90 <version>2.13.4</version> 91 </dependency> 92 93 <dependency> 94 <groupId>com.fasterxml.jackson.core</groupId> 95 <artifactId>jackson-databind</artifactId> 96 <version>2.13.4.2</version> 97 </dependency> 98 99 <dependency> 100 <groupId>com.fasterxml.jackson.datatype</groupId> 101 <artifactId>jackson-datatype-jdk8</artifactId> 102 <version>2.13.4</version> 103 </dependency> 104 105 <dependency> 106 <groupId>com.fasterxml.jackson.datatype</groupId> 107 <artifactId>jackson-datatype-jsr310</artifactId> 108 <version>2.13.4</version> 109 </dependency> 110 111 <dependency> 112 <groupId>com.fasterxml.jackson.jaxrs</groupId> 113 <artifactId>jackson-jaxrs-base</artifactId> 114 <version>2.13.4</version> 115 </dependency> 116 117 <dependency> 118 <groupId>com.fasterxml.jackson.jaxrs</groupId> 119 <artifactId>jackson-jaxrs-json-provider</artifactId> 120 <version>2.13.4</version> 121 </dependency> 122 123 <dependency> 124 <groupId>com.fasterxml.jackson.module</groupId> 125 <artifactId>jackson-module-jaxb-annotations</artifactId> 126 <version>2.13.4</version> 127 </dependency> 128 129 <dependency> 130 <groupId>com.fasterxml.jackson.module</groupId> 131 <artifactId>jackson-module-parameter-names</artifactId> 132 <version>2.13.4</version> 133 </dependency> 134 135 <!-- Jakarta --> 136 <dependency> 137 <groupId>jakarta.activation</groupId> 138 <artifactId>jakarta.activation-api</artifactId> 139 <version>1.2.2</version> 140 </dependency> 141 142 <dependency> 143 <groupId>jakarta.annotation</groupId> 144 <artifactId>jakarta.annotation-api</artifactId> 145 <version>1.3.5</version> 146 </dependency> 147 148 <dependency> 149 <groupId>jakarta.validation</groupId> 150 <artifactId>jakarta.validation-api</artifactId> 151 <version>2.0.2</version> 152 </dependency> 153 154 <dependency> 155 <groupId>jakarta.ws.rs</groupId> 156 <artifactId>jakarta.ws.rs-api</artifactId> 157 <version>2.1.6</version> 158 </dependency> 159 160 <dependency> 161 <groupId>jakarta.xml.bind</groupId> 162 <artifactId>jakarta.xml.bind-api</artifactId> 163 <version>2.3.3</version> 164 </dependency> 165 166 <!-- Javassist --> 167 <dependency> 168 <groupId>org.javassist</groupId> 169 <artifactId>javassist</artifactId> 170 <version>3.25.0-GA</version> 171 </dependency> 172 173 <!-- Jersey --> 174 <dependency> 175 <groupId>org.glassfish.jersey.core</groupId> 176 <artifactId>jersey-client</artifactId> 177 <version>2.35</version> 178 </dependency> 179 180 <dependency> 181 <groupId>org.glassfish.jersey.core</groupId> 182 <artifactId>jersey-common</artifactId> 183 <version>2.35</version> 184 </dependency> 185 186 <dependency> 187 <groupId>org.glassfish.jersey.containers</groupId> 188 <artifactId>jersey-container-jdk-http</artifactId> 189 <version>2.35</version> 190 </dependency> 191 192 <dependency> 193 <groupId>org.glassfish.jersey.containers</groupId> 194 <artifactId>jersey-container-servlet</artifactId> 195 <version>2.35</version> 196 </dependency> 197 198 <dependency> 199 <groupId>org.glassfish.jersey.containers</groupId> 200 <artifactId>jersey-container-servlet-core</artifactId> 201 <version>2.35</version> 202 </dependency> 203 204 <dependency> 205 <groupId>org.glassfish.jersey.ext</groupId> 206 <artifactId>jersey-entity-filtering</artifactId> 207 <version>2.35</version> 208 </dependency> 209 210 <dependency> 211 <groupId>org.glassfish.jersey.inject</groupId> 212 <artifactId>jersey-hk2</artifactId> 213 <version>2.35</version> 214 </dependency> 215 216 <dependency> 217 <groupId>org.glassfish.jersey.media</groupId> 218 <artifactId>jersey-media-json-jackson</artifactId> 219 <version>2.35</version> 220 </dependency> 221 222 <dependency> 223 <groupId>org.glassfish.jersey.media</groupId> 224 <artifactId>jersey-media-sse</artifactId> 225 <version>2.35</version> 226 </dependency> 227 228 <dependency> 229 <groupId>org.glassfish.jersey.core</groupId> 230 <artifactId>jersey-server</artifactId> 231 <version>2.35</version> 232 </dependency> 233 234 <!-- JTA --> 235 <dependency> 236 <groupId>javax.transaction</groupId> 237 <artifactId>jta</artifactId> 238 <version>1.1</version> 239 </dependency> 240 241 <!-- Logging --> 242 <dependency> 243 <groupId>org.slf4j</groupId> 244 <artifactId>jul-to-slf4j</artifactId> 245 <version>1.7.36</version> 246 </dependency> 247 248 <dependency> 249 <groupId>org.slf4j</groupId> 250 <artifactId>slf4j-api</artifactId> 251 <version>1.7.36</version> 252 </dependency> 253 254 <dependency> 255 <groupId>org.apache.logging.log4j</groupId> 256 <artifactId>log4j-api</artifactId> 257 <version>2.17.2</version> 258 </dependency> 259 260 <dependency> 261 <groupId>org.apache.logging.log4j</groupId> 262 <artifactId>log4j-to-slf4j</artifactId> 263 <version>2.17.2</version> 264 </dependency> 265 266 <dependency> 267 <groupId>ch.qos.logback</groupId> 268 <artifactId>logback-classic</artifactId> 269 <version>1.2.11</version> 270 </dependency> 271 272 <dependency> 273 <groupId>ch.qos.logback</groupId> 274 <artifactId>logback-core</artifactId> 275 <version>1.2.11</version> 276 </dependency> 277 278 <!-- OSGI --> 279 <dependency> 280 <groupId>org.glassfish.hk2</groupId> 281 <artifactId>osgi-resource-locator</artifactId> 282 <version>1.0.3</version> 283 </dependency> 284 285 <!-- SnakeYAML --> 286 <dependency> 287 <groupId>org.yaml</groupId> 288 <artifactId>snakeyaml</artifactId> 289 <version>1.29</version> 290 </dependency> 291 292 <!-- Spring Framework --> 293 <dependency> 294 <groupId>org.springframework</groupId> 295 <artifactId>spring-aop</artifactId> 296 <version>5.3.23</version> 297 </dependency> 298 299 <dependency> 300 <groupId>org.springframework</groupId> 301 <artifactId>spring-beans</artifactId> 302 <version>5.3.23</version> 303 </dependency> 304 305 <dependency> 306 <groupId>org.springframework</groupId> 307 <artifactId>spring-context</artifactId> 308 <version>5.3.23</version> 309 </dependency> 310 311 <dependency> 312 <groupId>org.springframework</groupId> 313 <artifactId>spring-core</artifactId> 314 <version>5.3.23</version> 315 </dependency> 316 317 <dependency> 318 <groupId>org.springframework</groupId> 319 <artifactId>spring-expression</artifactId> 320 <version>5.3.23</version> 321 </dependency> 322 323 <dependency> 324 <groupId>org.springframework</groupId> 325 <artifactId>spring-jcl</artifactId> 326 <version>5.3.23</version> 327 </dependency> 328 329 <dependency> 330 <groupId>org.springframework</groupId> 331 <artifactId>spring-web</artifactId> 332 <version>5.3.23</version> 333 </dependency> 334 335 <dependency> 336 <groupId>org.springframework</groupId> 337 <artifactId>spring-webmvc</artifactId> 338 <version>5.3.23</version> 339 </dependency> 340 341 <dependency> 342 <groupId>org.springframework</groupId> 343 <artifactId>spring-tx</artifactId> 344 <version>5.3.30</version> 345 </dependency> 346 347 <!-- Spring Boot --> 348 <dependency> 349 <groupId>org.springframework.boot</groupId> 350 <artifactId>spring-boot</artifactId> 351 <version>2.6.13</version> 352 </dependency> 353 354 <dependency> 355 <groupId>org.springframework.boot</groupId> 356 <artifactId>spring-boot-autoconfigure</artifactId> 357 <version>2.6.13</version> 358 </dependency> 359 360 <dependency> 361 <groupId>org.springframework.boot</groupId> 362 <artifactId>spring-boot-jarmode-layertools</artifactId> 363 <version>2.6.13</version> 364 </dependency> 365 366 <!-- Tomcat --> 367 <dependency> 368 <groupId>org.apache.tomcat.embed</groupId> 369 <artifactId>tomcat-embed-core</artifactId> 370 <version>9.0.68</version> 371 </dependency> 372 373 <dependency> 374 <groupId>org.apache.tomcat.embed</groupId> 375 <artifactId>tomcat-embed-el</artifactId> 376 <version>9.0.68</version> 377 </dependency> 378 379 <dependency> 380 <groupId>org.apache.tomcat.embed</groupId> 381 <artifactId>tomcat-embed-websocket</artifactId> 382 <version>9.0.68</version> 383 </dependency> 相对的waf也非常长，分别是在resolveClass中的Waf和在Rasp中的waf ...

菜菜web手第一次给比赛出题，如果题目出的不太好或者有什么问题欢迎加我扣扣(58896863)拷打我 金Java 考点：CVE-2025-59340漏洞复现+RASP绕过 ...

这次我们第二名，大家太强了，彦门万岁！ 这里是我个人的wp，这次Web我做了5题，所以这里就只写我自己做的题目。 ez_bottle 关键代码 1@post('/upload') 2def upload(): 3 zip_file = request.files.get('file') 4 if not zip_file or not zip_file.filename.endswith('.zip'): 5 return 'Invalid file. Please upload a ZIP file.' 6 7 if len(zip_file.file.read()) > MAX_FILE_SIZE: 8 return 'File size exceeds 1MB. Please upload a smaller ZIP file.' 9 10 zip_file.file.seek(0) 11 12 current_time = str(time.time()) 13 unique_string = zip_file.filename + current_time 14 md5_hash = hashlib.md5(unique_string.encode()).hexdigest() 15 extract_dir = os.path.join(UPLOAD_DIR, md5_hash) 16 os.makedirs(extract_dir) 17 18 zip_path = os.path.join(extract_dir, 'upload.zip') 19 zip_file.save(zip_path) 20 21 try: 22 with zipfile.ZipFile(zip_path, 'r') as z: 23 for file_info in z.infolist(): 24 if is_symlink(file_info): 25 return 'Symbolic links are not allowed.' 26 27 real_dest_path = os.path.realpath(os.path.join(extract_dir, file_info.filename)) 28 if not is_safe_path(extract_dir, real_dest_path): 29 return 'Path traversal detected.' 30 31 z.extractall(extract_dir) 32 except zipfile.BadZipFile: 33 return 'Invalid ZIP file.' 34 35 files = os.listdir(extract_dir) 36 files.remove('upload.zip') 37 38 return template("文件列表: {{files}}\n访问: /view/{{md5}}/{{first_file}}", 39 files=", ".join(files), md5=md5_hash, first_file=files[0] if files else "nofile") 40 41@route('/view/<md5>/<filename>') 42def view_file(md5, filename): 43 file_path = os.path.join(UPLOAD_DIR, md5, filename) 44 if not os.path.exists(file_path): 45 return "File not found." 46 47 with open(file_path, 'r', encoding='utf-8') as f: 48 content = f.read() 49 50 if contains_blacklist(content): 51 return "you are hacker!!!nonono!!!" 52 53 try: 54 return template(content) 55 except Exception as e: 56 return f"Error rendering template: {str(e)}" 上传一个zip，他会解压并显示文件列表，并且可以查看文件内容 ...

Web Really_Ez_Rce 源码 1<?php 2header('Content-Type: text/html; charset=utf-8'); 3highlight_file(__FILE__); 4error_reporting(0); 5 6if (isset($_REQUEST['Number'])) { 7 $inputNumber = $_REQUEST['Number']; 8 9 if (preg_match('/\d/', $inputNumber)) { 10 die("不行不行,不能这样"); 11 } 12 13 if (intval($inputNumber)) { 14 echo "OK,接下来你知道该怎么做吗"; 15 16 if (isset($_POST['cmd'])) { 17 $cmd = $_POST['cmd']; 18 19 if (!preg_match( 20 '/wget|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|ping|\\*|sort|zip|mod|sl|find|sed|cp|mv|ty|php|tee|txt|grep|base|fd|df|\\\\|more|cc|tac|less|head|\.|\{|\}|uniq|copy|%|file|xxd|date|\[|\]|flag|bash|env|!|\?|ls|\'|\"|id/i', 21 $cmd 22 )) { 23 echo "你传的参数似乎挺正经的,放你过去吧<br>"; 24 system($cmd); 25 } else { 26 echo "nonono,hacker!!!"; 27 } 28 } 29 } 30} Payload: POST: Number[]=1&cmd=ec``ho Y2F0IC9mKg== | ba``se64 -d | bas``h Watch 出题人写了一个基于 ntdll.dll 的 Windows NT 原生 API 调用实现的文件读取库 ...

Web 比赛时就打出了d3invitation和d3model，比赛结束复现一下，还是学到了不少新东西。 d3invitation 第一次在大赛中拿到血，纪念一下（新手就是爱记录 ...

参考文章 春秋云境-GreatWall(长城杯半决赛) – fushulingのblog 春秋云境 GreatWall(第一届长城杯半决赛渗透题) - Dr0n’s blog 春秋云境-GreatWall-先知社区 Thinkphp5.2.3 先扫一下端口，扫出来8080端口有个后台服务 ...

FLAG1 入口机有一个wordpress服务 wpscan没扫出漏洞，尝试一下弱口令没想到登进去了 http://39.99.146.5/wp-admin/ admin/123456 直接在Edit Plugins就可以写马了 在主题的akismet.php写个马 ...

Web (ez)upload hint写有源码泄露 index.php.bak拿源码 1<?php 2define('UPLOAD_PATH', __DIR__ . '/uploads/'); 3$is_upload = false; 4$msg = null; 5$status_code = 200; // 默认状态码为 200 6if (isset($_POST['submit'])) { 7 if (file_exists(UPLOAD_PATH)) { 8 $deny_ext = array("php", "php5", "php4", "php3", "php2", "html", "htm", "phtml", "pht", "jsp", "jspa", "jspx", "jsw", "jsv", "jspf", "jtml", "asp", "aspx", "asa", "asax", "ascx", "ashx", "asmx", "cer", "swf", "htaccess"); 9 10 if (isset($_GET['name'])) { 11 $file_name = $_GET['name']; 12 } else { 13 $file_name = basename($_FILES['name']['name']); 14 } 15 $file_ext = pathinfo($file_name, PATHINFO_EXTENSION); 16 17 if (!in_array($file_ext, $deny_ext)) { 18 $temp_file = $_FILES['name']['tmp_name']; 19 $file_content = file_get_contents($temp_file); 20 21 if (preg_match('/.+?</s', $file_content)) { 22 $msg = '文件内容包含非法字符，禁止上传！'; 23 $status_code = 403; // 403 表示禁止访问 24 } else { 25 $img_path = UPLOAD_PATH . $file_name; 26 if (move_uploaded_file($temp_file, $img_path)) { 27 $is_upload = true; 28 $msg = '文件上传成功！'; 29 } else { 30 $msg = '上传出错！'; 31 $status_code = 500; // 500 表示服务器内部错误 32 } 33 } 34 } else { 35 $msg = '禁止保存为该类型文件！'; 36 $status_code = 403; // 403 表示禁止访问 37 } 38 } else { 39 $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！'; 40 $status_code = 404; // 404 表示资源未找到 41 } 42} 43 44// 设置 HTTP 状态码 45http_response_code($status_code); 46 47// 输出结果 48echo json_encode([ 49 'status_code' => $status_code, 50 'msg' => $msg, 51]); 审计一下代码，看到有个name，可以对文件名进行修改，想到目录穿越 ...