Exploiting Java Tomcat With a Crazy JSP Web Shell - Real World CTF 2022
HTML-код
- Опубликовано: 2 окт 2024
- This was a hard web CTF challenge involving a JSP file upload with very restricted character sets. We had to use the Expression Language (EL) to construct useful primitives and upload an ascii-only .jar file.
Alternative writeups: github.com/voi...
Fuzzing log4j with Jazzer: • Fuzzing Java to Find L...
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
Wow! What a crazy technique, mad props to the folks who wrote the ASCII only jar, that's mental
Indeed - that's incredible. We could have had fun with that 25 years ago and not worried about uuencode! :)
AHA! FINALLY afters years understanding nothing but "Bahnhof" of your videos, I as a java dev, understand a tiny bit. Feels good.
I can explain part of this! The reason that your uploaded jar got corrupted is because of the way String works in Java. Unlike a string in e.g. C++ or Go, String in Java represents a sequence of Unicode codepoints, much like the str class in Python. When you uploaded your jar, the bytes of your query had to be converted to a String at some point before the «GARBAGE BEFORE + data + GARBAGE AFTER» step. So your input bytes got interpreted as UTF-8 sequences, but because most binary data is just going to be invalid UTF-8, it all got replaced with � (which is then encoded back to UTF-8 as EFBFBD when the file is written). The pure-ASCII zipfile is an ingenious workaround.
Nice explanation
As a java developer, just ❤️ this one.
My first thought for that replace chat was that neck slash wasn't excluded, so maybe \u123 like tricks could play a role.
Did not see the ASCII only zip file coming. Just how do you create that... Magic 🤣
Auto correct and late night commenting made a mess of that, meant char and backslash.
So what do we learn from this? Tomcat's applicationScope object is read-write instead of read-only, which is a bad idea.
Also, don't implement file upload in Java because Java will dynamically load code for any reason at all
What a genius guy,wish one day i could get even close to you
A bunch of this flew over my head but I loved it. Props to you and your team for the great work!
10:16 "..and it was private static final anyways." This shouldn't be a problem.
First, the `final` only protects the reference to the array from changing, not the array itself. In C++ terms, `final` is the equivalent of `T * const`, Java has no concept of `T const *` or `T const * const` unless T is defined to be always immutable. Sure Strings are immutable in Java, but arrays are fair game.
Next, the fact that it's `static` could be helpful, not a hindrance. This means that there is no overall object reference for `ParamUtil` to find, there is only one instance of the `SPECIAL_CHARS` in the whole program. This should be findable with reflection.
Lastly, the `private` should be no problem if you're using reflection. Reflection does not care about member visibility.
I'm not sure what reflection you could have pulled off, given the challenge's constrained jsp; so maybe this would still end up being a dead end. I just wanted to share some Java technicalities. 😎
insane, i would not figure this out in my entire life if you gave me that time
love the new glasses.
How are you creating content that will forcefully put the viewer to watch the whole video without skipping any part? Its 100% amazing. Superior content btw. Loved it😍
It took me an hour to complete this video 😂😂
@@secureitmania ha ha😁
This guy's a genius
I have to watch your video multiple times just to appreciate all the details you give to audience. It's fenomenal
Beautiful solution. I genuinely don't understand why Apache regularly does stupidly insecure things with class loading.
I don't understand anything at all but this is interesting af! Thanks for uploading
This is the kind of cyber security expert I aspire to become......just so much dedication
Why did you put angle brackets on your head and disable your glasses for the thumbnail? I'm confused. But great video!
13:11 Stupid Question: Couldn't you have just made a StringInterpreter Compatible class and then call do your arbitrary code execution from the constructor since its instantiated immediatly?
sure could have done that as well. But makes no difference if we execute the code in static section or in the constructor. Wouldn't have changed much.
@@LiveOverflow yeah, it just seemed easier to me at the moment
Java web challenges are always good !!!!
So cool…. As a web dev this scares me lol
*me just nodding to everything he says with a wistful expression, whilst trying to understand it*
glassesOverflow
Hey what about the STÖK glasses? haha
Could you please describe how you make valid jar file with ascii-zip?
That is a crazy exploit, well done!
Crazyyy technique! 😵
Just a note on the URL class and the "fix it plz java" note - there's nothing to fix, that's an immutable object and it's supposed to be like that. You want a new URL - you create a new instance of that class.
This was the most interesting CTF video I've ever seen. Normally, I don't understand shit, but you explained everything so well.
welcome to the blind gang
this video was dope. thanks for taking the time to make this content, much love!
If you click the number it will display on your video that video ended is ended like 51 minutes why ? Please can you explain and thanks
im waiting for the minecraft log4j vid xd
The ascii only zip is really interesting
On glasses in a stream nicee
Nice video - quick comment from my side: I have found JADX being superior to JD-GUI, since the latter has issues with a few class files and the other has not.
the thing is i dont know any bit of coding , still I am watching it and having fun , and can safely say yeah this field is for me I need to take it in colleague as majours even if I need to compromise a better colleague for the subject.
new video lets goo
CTF challenge vids are one of my favorite types of videos on this channel!
I know little about the Java wepapp world. Decompille a class is regularly needed because the documentation is bad or fix a bug of a used software. A servlet to upload files gives actually control of OS running tomcat. What I dont understand how you get access to the .war file from a running Webapp in the net?
solving this must feel great, but creating such a challenge.... you must be a wizard...
I understand 1% of this, i think i learning 🌭
ASCII ONLY JAR?
WHAT.
HOW IS THAT POSSIBLE
compression dictionary
Some souls were consumed in the making
Nice i couldn't understand a shit:)
thumbnail makes me not want to watch this video sorry
dark lighting makes you sad old dev, not the bright excited mind you were before
How did you work out 0xfffff number of hashes ?
Okay, took me a little bit to figure this out, but it all come down to this:
A md5 hash is 32 hex characters.
One hex characters has 16 possible value [0-9] [a-f].
So if the hash has to start with 5 specific characters, the total possible variation of 5 hex characters is 16^5 or 1,048,576.
Now to explain what the python script does:
We are generating random md5 hashes keeping only the first 5 char and putting them in a dictionary as the key and the seed as the value. The top loop will run until we have generated all possible combinations.
Video minute that it is even not in the video it display for you in example
Maybe a dumb question, but would using a "
" worked to remove the garbage on the beginning of the string?
"GARBAGE" + "
something else" + "GARBAGE" ?
not a dumb question :)
only affects how text is displayed. It tells the computer "now move the cursor back at the start". And so in reality, that garbage at the start is still there, it was just overwritten when it was displayed. And so it has no effect for when the computer tries to read this data as a file.
@@LiveOverflow thanks! Makes sense!
Just wondering if the start was anything like that early scene in Blue Streak where he says "What is the first thing you do? You check if it's open." Only, in this case, you check if it's log4j vulnerable. ;)
About halfway through, my approach would be to upload a .class or jar file with remote shell in perhaps a static initializer field, then change the class path and execute the code from there. Let’s see if that’s the way you did it :D
Close! Nice find and very creative solution!
Thats insane!!!
Dude,,, I understand only parts of what you were explaining... but I couldn't stop seeing....
great job.... and avoid Java!!!
;-)
Thats a nice video.
Can you please make a video on exploitation on vulnerable version of jetty.
Great video!
Well done sir
Ooh no. Jemes kittle explain how to exploit this bug in his template injection talk
You Joined My MC server without the web address or ip how did you do that ?
Very interesting video! I really like to watch your CTF videos. Aaaand ive got a question: how is your vscode theme called?
Pretty sure it's Solarized Dark
@@lebit01 thanks
looking closer and closer to vitalik buterin by the day.
all in >
I just know basics programming stuff but the video made me watch this like I knew everything what he said ... Magic ✨
Hello please can you explain the doc exploit other thing I discover thing before when you type a
3:47 I thought the top file said something else for a second...
DO U USING KALE LUNIX BRO❓
Love your work but I fear your arms are going to snap in half
Hey man. Someone recently logged onto my Minecraft server under the name Zaafir_Zuberi. He ran some long command, apologized for spam, then left. He linked his channel which led me here. What exactly did you do, and should I be concerned? I tried to find the acc but they must have changed the name or deleted it. Would appreciate a response.
minecraft doenst use JSP
@@LiEnby I know Minecraft doesn't. It was just his most recent video, so, I thought it would be more likely that he sees the comment.
it was me, sorry for the spam. you don't need to be concerned. It's for an upcoming video series :) if you have any more questions, write me an email or DM me on twitter. sorry again!
@@LiveOverflow lol
@@LiveOverflow what are you doing to the poor guy lmao
Is it just me or is he really looking like Ed-Sheeran :D
Yu gained weight! Good yu look gewd!
this ascii-zip crafting made me cry ... #ctflife I think
Let's fix what broken for 5 years now.
Stupid question : In these CTF's do they provide the web-app source codess ? for you guys to figure the prblm on local machine.
In this video it looks like they provided just the compiled .class files. But decompilers work really well on Java (as long as it is not intentionally obfuscated) so the decompiled code was pretty ok. They were also using an open-source library so you can just grab the source code for that from github.
Thanks for the video
What system do you run in this video?
what a rollercoaster :D
badass
You are amazing
on yaaaa
first?
It's an amazing ctf!
🔥🤯🤯🤯🤯😱
Nice
🔥🔥🔥
uh oh
That’s for all genius hackers - you‘re the heros right now 🇺🇦❤️
Does this mean that Tomcat is not secure?
Not really. The way it's configured in the video is almost painful to watch as a Java dev. But Tomcat won't stop you from shooting yourself in your own foot either. There's so much stuff you can do in Java, there's a feature for everything. This kind of complexity can be dangerous.
The way you pronounce "interpreter" drives me crazy
Oops you are right
bro use vim to sort, instead of VS code,
why?
56 secs ago???