虚拟机里搭 CVE-2020-14882环境用了一天半。。。。 help me…哎= =
1,整理下Shiro-550漏洞
2. hws 预夏令营的wp 两道re题
一: ubuntu 切换到nat模式
docker run -d -p 8081:8080 medicean/vulapps:s_shiro_1
得ip
特征
打开工具
输入cmd
在弹出的命令行 输入以下命令 指定java环境 ( tab键自动补全
准备连冰蝎
同理开冰蝎
得到受害机目录
漏洞原理:
由于Apache Shiro cookie中通过 AES-128-CBC 模式加密的rememberMe字段存在问题,用户可通过Padding Oracle 加密生成的攻击代码来构造恶意的rememberMe字段,并重新请求网站,进行反序列化攻击,最终导致任意代码执行。
影响版本:Apache Shiro < 1.4.2
二,hws
xtea
一个tea加密,再逆向解密:
#include <stdio.h>
unsigned char KEY[] = {0x0, 0x1, 0x3, 0x4, 0x5, 0x6, 0x7
, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, 0x0};
unsigned char ENC[] = {0x42, 0xC7, 0xCA, 0x40, 0xC1, 0x75, 0x16, 0xEF,
0xE7, 0x37, 0x6E, 0x69, 0x1B, 0x0B, 0x0F, 0x78, 0xDF, 0xE0, 0xE0, 0x7B, 0x5F, 0x50, 0x57, 0x05, 0xF4, 0x73, 0xD2, 0x35, 0x47, 0xD5, 0x6C, 0x5A};
unsigned int get_delat()
{
int i = 0;
unsigned int ans = 0, delat = 0x61c88647;
for(i = 0; i < 32; i++)
ans -= delat;
return ans;
}
void byte_order(unsigned char *a, int len)
{
for(int i = 0; i < len/4; i++)
{
unsigned char *b = a+4*i;
for(int j = 0; j < 2; j++)
{
unsigned char tmp = b[j];
b[j] = b[3-j];
b[3-j] = tmp;
}
}
}
void tea_decode()
{
byte_order(KEY, 16);
byte_order(ENC, 32);
unsigned int *key = (unsigned int *)KEY;
for(int i = 0; i < 4; i++)
{
unsigned int delat = get_delat();
unsigned int *enc = (unsigned int *)(ENC+8*i);
for(int j = 0; j < 32; j++)
{
enc[1] -= (enc[0] >> 5) + key[3]^delat + enc[0]^enc[0]*0x10 + key[2];
enc[0] -= (enc[1] >> 5) + key[1]^delat + enc[1]^enc[1]*0x10 + key[0];
delat += 0x61c88647;
}
}
byte_order(ENC, 32);
}
int main(void)
{
tea_decode();
for(int i = 0; i < 0x20; i++)
{
printf("%c", ENC[i]);
}
return 0;
}
//flag{th1s_is_TEA_enc0de_hahaha_}
BabyTrans
先对输入加6,然后进行了密钥为[1]*16的aes_ecb加密,接着是对密文进行几十次的加法,使用paddb,16字节为一组的加。
逆向解密:
#coding:utf-8
import base64
from Crypto.Cipher import AES
class AesEncry(object):
key = [0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01]
key = bytes(key)
def decrypt(self, data):
cryptos = AES.new(self.key, AES.MODE_ECB)
decrpytBytes = list(base64.b64decode(data))
decrpytBytes = bytes(decrpytBytes)
meg = cryptos.decrypt(decrpytBytes)
return meg
num = [111, 95, 63, 62, 52, 21, 115, 70, 18, 19, 20, 59, 97, 44, 49, 45, 13, 29, 39, 89, 74, 104, 14, 28, 12, 10, 113, 84, 83, 93, 40, 27, 125, 112, 90, 91, 114, 4, 48, 47, 5, 66, 77, 72, 122, 71, 73, 9, 78, 17, 61, 98, 124, 3, 87, 8, 2, 58, 119, 46, 15, 34, 69, 51, 26, 105, 56, 37, 109, 16, 38, 118, 23, 35, 117, 86, 92, 82, 53, 31, 88, 24, 57, 33, 99, 103, 76, 120, 116, 41, 11, 65, 55, 6, 68, 123, 32, 108, 110, 7, 54, 60, 96, 107, 67, 127, 64, 75, 94, 79, 42, 22, 101, 100, 43, 1, 126, 30, 36, 81, 25, 102, 80, 121, 106, 85, 50]
enc = [0x70, 0xC2, 0x2D, 0xDF, 0xD8, 0x1C, 0x87, 0xEA, 0x1D, 0x28, 0x93, 0x5B, 0xCF, 0x4D, 0x02, 0xFC, 0xFF, 0xD9, 0xC6, 0x61, 0x4D, 0x56, 0x4F, 0x5B, 0x3A, 0x4E, 0xCA, 0xE6, 0x70, 0x25, 0x8F, 0x8B]
for i in num[::-1]:
for j in range(32):
enc[j] -= i
enc[j] &= 0xff
enc = base64.b64encode(bytes(enc))
flag = AesEncry().decrypt(enc)
flag = list(flag)
for i in range(len(flag)):
flag[i] -= 6
print(bytes(flag))
#160d2ef62f297d3e576e7e048fb9c16
hws夏令营 yyds