p0l1st's blog
p0l1st's blog
Home avatar

p0l1st

L3HCTF2025 TellMeWhy

p0l1st p0l1st published on  included in CTF

使用了solon框架,存在fastjson2依赖

img

并且/baby/why路由可以反序列化

存在反序列化黑名单

img

  • javax.management.BadAttributeValueExpException
  • javax.swing.event.EventListenerList
  • javax.swing.UIDefaults$TextAndMnemonicHashMap

目的是想要过滤可以触发JsonArray.toString的链子,常见的可以触发toString方法的链子如下:

  • XString
Hashmap#readobject --> 
    XString#equals --> 
        JSONArray.toString
  • HotSwappableTargetSource
HashMap#readObject -> 
    HotSwappableTargetSource#equals -> 
        XString#equals -> 
            JSONArray.toString
  • BadAttributeValueExpException
BadAttributeValueExpException#readObject --> 
    JSONArray#toString
  • EventListenerList
EventListenerList#readobject --> 
    UndoManager#toString -->
        Vector#toString -->
            JSONArray#toString
  • TextAndMnemonicHashMap
hashmap#readObject-->
    HashMap#putVal-->
        AbstractMap#equals-->
            TextAndMnemonicHashMap#get-->
                JSONArray#toString

那么在这里我们可以利用XString去触发JsonArray.toString 或者可以用tabby去跑一下

Read More
Java安全

强网拟态2025初赛 Web Writeup

p0l1st p0l1st published on  included in CTF

smallcode 

<?php
    highlight_file(__FILE__);
    if(isset($_POST['context'])){
        $context = $_POST['context'];
        file_put_contents("1.txt",base64_decode($context));
    }

    if(isset($_POST['env'])){
        $env = $_POST['env'];
        putenv($env);
    }
    system("nohup wget --content-disposition -N hhhh &");

写so,编译

Read More
CTFWeb安全