The problem I found a bit online wp, a total of three solutions, I use a slightly simpler
Unicode deceive
This is our first title environment, simply looked at, only registration and login feature
Go look at the first landing function
In the change password here to see the source code leak
Code audit about
Whether login, register or change the page, as long as the session on the operation [ 'name'], have first with strlower function name to lower case, but there comes python function of small letter
lower
, a rewritten here, It may be a bit tricky, so the find function definitions strlower
Here used
nodeprep.prepare
functions, while nodeprep is imported from the twisted module
from twisted.words.protocols.jabber.xmpp_stringprep import nodeprep
, in requirements.txt file found twisted version is used here
Twisted==10.2.0
, and the latest version of the official website for the
19.2.0
(2019/6/2), version of such a big gap, estimated what vulnerabilities exist, so the search
nodeprep.prepare
to find a safe unicode article,
https://paper.tuisec.win/detail/a9ad1440249d95b
Here the principle is the use of unicode characters nodeprep.prepare function will
So when we
ᴬ
convert
A
, while
A
calling once nodeprep.prepare function will
A
convert
a
.
So when we
ᴬdmin
sign up, call the code behind a nodeprep.prepare function to convert the user name as
Admin
we used
ᴬdmin
to log in, you can see the username index page becomes
Admin
, confirms our conjecture, then we wanted to approach and then let the server function can be called once nodeprep.prepare.
Then directly through the admin login, get flag