2024CISCN初赛 ezjava
JDBC-Attack-SQLite加载恶意so文件
分析JdbcController,com.example.jdbctest.controller.JdbcController#connect
1 2 3 4 5 6 7 8 9 10 @RequestMapping({"/connect"}) @ResponseBody public ResultBean connect (@RequestBody JdbcBean jdbcBean) { try { return new ResultBean (1 , String.join("," , this .datasourceServiceImpl.testDatasourceConnectionAble(jdbcBean))); } catch (Exception var3) { return new ResultBean (0 , "连接失败" ); } }
实例化连接测试,跟进com.example.jdbctest.services.datasourceServiceImpl#testDatasourceConnectionAble
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 public String[] testDatasourceConnectionAble(JdbcBean jdbcBean) throws ClassNotFoundException, SQLException { DatasourceLoadConfig var10000 = this .datasourceLoadConfig; Map<String, String> config = DatasourceLoadConfig.getConfig(); switch (jdbcBean.getType()) { case 1 : Class.forName((String)config.get("JDBC-MYSQL" )); MysqlDatasourceConnector mysqlDatasourceConnector = new MysqlDatasourceConnector (DriverManager.getConnection(jdbcBean.getUrl())); if (jdbcBean.getTableName() != null ) { return mysqlDatasourceConnector.getTableContent(jdbcBean.getTableName()); } return mysqlDatasourceConnector.getTables(); case 2 : Class.forName((String)config.get("JDBC-POSTGRES" )); PostgresDatasourceConnector postgresDatasourceConnector = new PostgresDatasourceConnector (DriverManager.getConnection(jdbcBean.getUrl())); if (jdbcBean.getTableName() != null ) { return postgresDatasourceConnector.getTableContent(jdbcBean.getTableName()); } return postgresDatasourceConnector.getTables(); case 3 : SqliteDatasourceConnector sqliteDatasourceConnector = new SqliteDatasourceConnector (jdbcBean.getUrl()); if (jdbcBean.getTableName() != null ) { return sqliteDatasourceConnector.getTableContent(jdbcBean.getTableName()); } return sqliteDatasourceConnector.getTables(); case 4 : Class.forName((String)config.get("JDBC-SQLITE" )); return new String []{"" }; default : return new String []{"" }; } }
根据sqliteDatasourceConnector.getTableContent,跟进到com.example.jdbctest.services.DatasourceServiceImpl#getTableContent
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 public String[] getTableContent(String tableName) { String sql = "select * from " + tableName; try { Statement statement = this .connection.createStatement(); Throwable var4 = null ; try { ResultSet resultSet = statement.executeQuery(sql); Throwable var6 = null ; } } return new String [0 ]; }
Read More
BoardLight (Linux · Easy) CVE-2023-30253 + CVE-2022-37706
枚举 nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 nmap -A -Pn -v -T4 10.10.11.11 Nmap scan report for board.htb (10.10.11.11) Host is up (0.29s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA) | 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA) |_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kerne
添加hosts
1 echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts
gobuster 1 gobuster vhost -u http://board.htb --append-domain -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Read More
