Article Directory
Knowledge points
JWT
JWT related
JWT decryption website
JWT cracking tool
PICKLE
The most commonly used functions in the Pickle module are:
(1)pickle.dump(obj, file, [,protocol])
函数的功能:将obj对象序列化存入已经打开的file中。
参数讲解:
obj:想要序列化的obj对象。
file:文件名称。
protocol:序列化使用的协议。如果该项省略,则默认为0。如果为负值或HIGHEST_PROTOCOL,则使用最高的协议版本。
(2)pickle.load(file)
函数的功能:将file中的对象序列化读出。
参数讲解:
file:文件名称。
(3)pickle.dumps(obj[, protocol])
函数的功能:将obj对象序列化为string形式,而不是存入文件中。
参数讲解:
obj:想要序列化的obj对象。
protocal:如果该项省略,则默认为0。如果为负值或HIGHEST_PROTOCOL,则使用最高的协议版本。
(4)pickle.loads(string)
函数的功能:从string中读出序列化前的obj对象。
参数讲解:
string:文件名称。
Attachment: Pickle Agreement
WP part
The first step is to find lv6
According to the prompt, we need to find lv6, and analyze the URL and find that only needs to lv6.png
be
there. Write a multi-threaded python script here
import threading
import time
import requests
def go(st, ed):
for i in range(st, ed):
url = '替换你的url/shop?page='
url += str(i)
r = requests.get(url, timeout=2)
if 'lv6.png' in r.text:
print(r.url)
time.sleep(0.1)
if __name__ == '__main__':
threads = []
for i in range(0, 10):
t = threading.Thread(target=go, args=(i * 20, (i + 1) * 20))
threads.append(t)
for item in threads:
item.start()
I got page 181 exist lv6 here
The second step BURP capture modification
It’s great that we increased the discount and got such a page.
Okay, it can only be accessed by the admin. Capture the package and take a look. It
should be necessary for us to crack the JWT and
get the key. 1Kun
Follow the prompts to
get the key information.
pimples
I’m a bit silly here. I didn’t notice that the environment should be python2 at first, and I got the correct value.
I got the flag after passing in.
Reference article
[CISCN2019 North China Day1 Web2] Ikun
Python Deserialization Vulnerability Fancy Exploitation of
Python Magic Method Guide