Wrote the title thinking to do before doing the process is generally done to write, but this question is relatively large hole in the brain and involved more knowledge, so the edge reproducibility and writing wp.
After shooting range opens up more interesting
Chicken you're so beautiful
Simply look at the page, a shopping mall web page
Should buy the B station members, the page there is a hint that it is sure to get lv6, simply turned a few pages and found no lv6, then write a script to find the change a web page address
import requests
url="http://c8ffb0c4-125a-4140-ae54-0e34b707fb3f.node3.buuoj.cn/shop?page="
for i in range(0,2000):
r=requests.get(url+str(i))
print url+str(i)
if 'lv6.png' in r.text:
print i
break
Run for a while to find
181, refresh the page in the url changed after 181
So expensive, our money is not enough, the idea of using the mall pull out of wool, Ethereal modify the price, will find this error, so we modify discount
Change the discount is very low, the return package 403, exposed the backstage address, access the
Tell us only allow admin access, capture refresh the page to view the authentication information
JWT found inside the package, described in a paper posted
https://www.anquanke.com/post/id/145540We will look to decrypt the packet inside the JWT
https://jwt.io/
We can see that the username is the test
This is what I previously registered when the user name, it is easy to think that we can modify the username as admin, but we also need to find the key signature JWT
Internet has been a large cattle written a cracking tools
https://github.com/brendan-rius/c-jwt-crackerThis involves a little knowledge points, on top of Ubuntu download code github
We can download git, easy to grab items from the above gituhb
apt-get install gitBecause I have here is kali, it is the direct root privileges, so there is no sudo up
For example, we now need to download the c-jwt-cracker project code, use the following command
git clone https://github.com/brendan-rius/c-jwt-crackerAfter downloading projects are on github git clone url
After downloading to your local c-jwt-cracker to make use command
Folder on the program generated jwtcrack
For jwt encrypted, HS256 encryption we can try blasting
./jwtcrack 加密后的结果
After running can be seen here
The key is 1Kun
With key after the username modified to admin, re-encrypted
The jwt modified re-contract modification
OK, we can see that already use the admin login as a success
Click the button to become a member of a large seems to be no use
Then we look at the source code and found the source code leak
Download the code for later review
Source There is a hint, to see that this is a unicode encoding, decoding it online
提示我们有后门,于是继续审计代码,查找后门在哪里
Admin.py里面有反序列化操作
python反序列化以前没有遇到过
pickle提供了一个简单的持久化功能。可以将对象以文件的形式存放在磁盘上。
pickle模块只能在python中使用,python中几乎所有的数据类型(列表,字典,集合,类等)都可以用pickle来序列化,
pickle序列化后的数据,可读性差,人一般无法识别。
p = pickle.loads(urllib.unquote(become))
urllib.unquote:将存入的字典参数编码为URL查询字符串,即转换成以key1 = value1 & key2 = value2的形式
pickle.loads(bytes_object): 从字节对象中读取被封装的对象,并返回我看了师傅们的博客之后的理解就是,我们构建一个类,类里面的__reduce__python魔术方法会在该类被反序列化的时候会被调用
Pickle模块中最常用的函数为:
(1)pickle.dump(obj, file, [,protocol])
函数的功能:将obj对象序列化存入已经打开的file中。
参数讲解:
obj:想要序列化的obj对象。
file:文件名称。
protocol:序列化使用的协议。如果该项省略,则默认为0。如果为负值或HIGHEST_PROTOCOL,则使用最高的协议版本。
(2)pickle.load(file)
函数的功能:将file中的对象序列化读出。
参数讲解:
file:文件名称。
(3)pickle.dumps(obj[, protocol])
函数的功能:将obj对象序列化为string形式,而不是存入文件中。
参数讲解:
obj:想要序列化的obj对象。
protocal:如果该项省略,则默认为0。如果为负值或HIGHEST_PROTOCOL,则使用最高的协议版本。
(4)pickle.loads(string)
函数的功能:从string中读出序列化前的obj对象。
参数讲解:
string:文件名称。
【注】 dump() 与 load() 相比 dumps() 和 loads() 还有另一种能力:dump()函数能一个接着一个地将几个对象序列化存储到同一个文件中,随后调用load()来以同样的顺序反序列化读出这些对象。而在__reduce__方法里面我们就进行读取flag.txt文件,并将该类序列化之后进行URL编码
EXP如下
当__reduce__被定义之后,该对象被Pickle时就会被调用
我们这里的eval用于重建对象的时候调用,即告诉python如何pickle他们
供eval使用的即打开的文件flag.txt
其他的参数我们可以不填
payload有很多种写法,这算是一种通用型写法
我们在本地python2的环境下运行
得到了序列化之后并且url编码之后的结果
点击页面一键成为大会员,抓包
接着将python2得到的结果替换掉become的内容
返回包里面就有flag了
贴上参考的博客
https://xz.aliyun.com/t/2289#toc-4
https://blog.csdn.net/bluehawksky/article/details/79027055
https://blog.csdn.net/weixin_43345082/article/details/97817909
http://www.zjun.info/2019/10/17/ikun/
https://www.cnblogs.com/chrysanthemum/p/11786132.html
http://www.polaris-lab.com/index.php/archives/178/
http://www.cl4y.top/buuctf_wp/#toc-head-24