本文主要是介绍picoCTF-Web Exploitation-Java Code Analysis!?!,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
Description
BookShelf Pico, my premium online book-reading service.I believe that
my website is super secure. I challenge you to prove me wrong by
reading the ‘Flag’ book!Here are the credentials to get you started:
- Username: “user”
- Password: “user”
Source code can be downloaded
here
.Website can be accessed
here!
Hints
Maybe try to find the JWT Signing Key (“secret key”) in the source
code? Maybe it’s hardcoded somewhere? Or maybe try to crack it?The ‘role’ and ‘userId’ fields in the JWT can be of interest to you!
The ‘controllers’, ‘services’ and ‘security’ java packages in the
given source code might need your attention. We’ve provided a
README.md file that contains some documentation.Upgrade your ‘role’ with the new (cracked) JWT. And re-login for the
new role to get reflected in browser’s localStorage.
通过介绍我们可以得到以下信息:
- 尝试破解JWT 签名密钥
- JWT中的role和userId字段可能会对我们有帮助
- 重点关注源码中的
controllers,services,security包。 - README.md文件可能对我们有所帮助
- 在JWT中提升role并刷新cookie存储?
1. 分析代码
首先,我们下载源码,使用是gradle管理包,先看README.md,里面说明了项目的架构以及各个包的功能。访问here!网站,使用username:user, password:user用户登录,发现图片有Flag,点击提示有锁,需要用户拥有role为Admin的权限(user用户的role是Free)
Flag
You need to have Admin role to access this special book!
This book is locked.
我们给用户user修改role为Admin试试,查看UserController找到修改role的代码
@PatchMapping("/users/role")
public Response<String> updateRole(@Valid @RequestBody UpdateUserRoleRequest userRoleRequest) throws ResourceNotFoundException, ValidationException {userService.updateRole(userRoleRequest);return new Response<String>().setPayload("Role successfully updated.").setType(ResponseType.SUCCESS);
}
@Getter
@Setter
@NoArgsConstructor
public class UpdateUserRoleRequest {private Integer id;@NotNull(message = "Role cannot be Null")@NotEmpty(message = "Role cannot be empty")private String role;
}
我们需要构建RequestBody参数包含id和role ,role已知为Admin ,接下来需要找到user用户的id ,在UserController 中有一个users接口,查询所有用户信息
@GetMapping("/users")
public Response<List<UserDto>> getAll() {List<UserDto> userList = userService.getAllUsers();Response<List<UserDto>> response = new Response<>();response.setPayload(userList);response.setType(ResponseType.SUCCESS);return response;
}
我们进去Service看一下,发现有权限认证hasAuthority('Admin'),需要Admin权限,前面修改role的也需要这个权限认证,不过又多了一步#userRoleRequest.id != authentication.principal.grantedAuthorities[0].userId ,意思好像是userId不能是本用户,也就是自己不能修改自己的role
@PreAuthorize("hasAuthority('Admin')")
public List<UserDto> getAllUsers() {return UserDto.getUserDtoListFromUsers(userRepository.findAll());
}@PreAuthorize("hasAuthority('Admin') and #userRoleRequest.id != authentication.principal.grantedAuthorities[0].userId")
public void updateRole(UpdateUserRoleRequest userRoleRequest) throws ResourceNotFoundException {Optional<User> userOptional = userRepository.findById(userRoleRequest.getId());if(!userOptional.isPresent()){throw new ResourceNotFoundException("user with ID: "+userRoleRequest.getId()+" not found");}User user = userOptional.get();Optional<Role> roleOptional = roleRepository.findById(userRoleRequest.getRole());if(!roleOptional.isPresent()){throw new ResourceNotFoundException("user with role: "+userRoleRequest.getRole()+" not found");}Role role = roleOptional.get();user.setRole(role);userRepository.save(user);
}
2. 修改JWT
所有操作需要给user用户一个Admin权限,我们知道JWT在登录后生成一个token,每次请求会在Request Header中带上这个token,以便后端程序对权限进行验证。
User登录网站,使用DevTools查看请求头,得到token
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiRnJlZSIsImlzcyI6ImJvb2tzaGVsZiIsImV4cCI6MTcxNjE5MDE1MywiaWF0IjoxNzE1NTg1MzUzLCJ1c2VySWQiOjEsImVtYWlsIjoidXNlciJ9.27h2BykhrD30xizlmoid0Wkj3OLuNPgR-XGo30UBv_0
拿到JWT官网解析,得到payload
{"role": "Free","iss": "bookshelf","exp": 1716190153,"iat": 1715585353,"userId": 1,"email": "user"
}
修改role为Admin重新加密,前提需要找到签名密钥(第一条提示)。继续查看权限验证JWT相关代码,发现密钥为1234
@Service
class SecretGenerator {private Logger logger = LoggerFactory.getLogger(SecretGenerator.class);private static final String SERVER_SECRET_FILENAME = "server_secret.txt";@Autowiredprivate UserDataPaths userDataPaths;private String generateRandomString(int len) {// not so randomreturn "1234";}String getServerSecret() {try {String secret = new String(FileOperation.readFile(userDataPaths.getCurrentJarPath(), SERVER_SECRET_FILENAME), Charset.defaultCharset());logger.info("Server secret successfully read from the filesystem. Using the same for this runtime.");return secret;}catch (IOException e){logger.info(SERVER_SECRET_FILENAME+" file doesn't exists or something went wrong in reading that file. Generating a new secret for the server.");String newSecret = generateRandomString(32);try {FileOperation.writeFile(userDataPaths.getCurrentJarPath(), SERVER_SECRET_FILENAME, newSecret.getBytes());} catch (IOException ex) {ex.printStackTrace();}logger.info("Newly generated secret is now written to the filesystem for persistence.");return newSecret;}}
}
修改role及密钥信息得到新得token
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiQWRtaW4iLCJpc3MiOiJib29rc2hlbGYiLCJleHAiOjE3MTYxOTMxNTcsImlhdCI6MTcxNTU4ODM1NywidXNlcklkIjoxLCJlbWFpbCI6InVzZXIifQ.zMJVsnlSGl2OKzBSQ_h2qIU5mB7OL7bgF6khdI31eMw
3. 修改新建用户的role为Admin
-
网页上直接创建一个用户
-
使用postman请求用户查询接口得到hucker的userId为
6(Header中增加
Authorization,填入上面得到的新token)
-
构建ResponseBody,给hucker用户修改权限为
Admin
-
重新登录,发现role已经修改为
Admin,点击Flag拿到结果
这篇关于picoCTF-Web Exploitation-Java Code Analysis!?!的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
