[羊城杯 2020]A Piece Of Java复现记录

这题打开首页什么都没有,访问题目的github拿到一个jar包,放进jd-gui反编译一下,看看Controller的源码:

package BOOT-INF.classes.gdufs.challenge.web.controller;
import gdufs.challenge.web.controller.MainController;
import gdufs.challenge.web.model.Info;
import gdufs.challenge.web.model.UserInfo;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import org.nibblesec.tools.SerialKiller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
public class MainController {
  @GetMapping({"/index"})
  public String index(@CookieValue(value = "data", required = false) String cookieData) {
    if (cookieData != null && !cookieData.equals("")) {
      return "redirect:/hello";
    }
    return "index";
  }
  @PostMapping({"/index"})
  public String index(@RequestParam("username") String username, @RequestParam("password") String password, HttpServletResponse response) {
    UserInfo userinfo = new UserInfo();
    userinfo.setUsername(username);
    userinfo.setPassword(password);
    Cookie cookie = new Cookie("data", serialize(userinfo));
    cookie.setMaxAge(2592000);
    response.addCookie(cookie);
    return "redirect:/hello";
  }
  @GetMapping({"/hello"})
  public String hello(@CookieValue(value = "data", required = false) String cookieData, Model model) {
    if (cookieData == null || cookieData.equals("")) {
      return "redirect:/index";
    }
    Info info = (Info)deserialize(cookieData);
    if (info != null) {
      model.addAttribute("info", info.getAllInfo());
    }
    return "hello";
  }
  private String serialize(Object obj) {
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    try {
      ObjectOutputStream oos = new ObjectOutputStream(baos);
      oos.writeObject(obj);
      oos.close();
    } catch (Exception e) {
      e.printStackTrace();
      return null;
    } 
    return new String(Base64.getEncoder().encode(baos.toByteArray()));
  }
  private Object deserialize(String base64data) {
    Object obj;
    ByteArrayInputStream bais = new ByteArrayInputStream(Base64.getDecoder().decode(base64data));
   
    try {
      SerialKiller serialKiller = new SerialKiller(bais, "serialkiller.conf");
      obj = serialKiller.readObject();
      serialKiller.close();
    } catch (Exception e) {
      e.printStackTrace();
      return null;
    } 
    return obj;
  }
}

审计一下:

上一篇:poj3237 树链部分 边权模板


下一篇:在archlinux上使用蓝牙耳机