Featured image of post Redpwnctf_2019_challenges_web
ctf

Redpwnctf_2019_challenges_web

redpwnctf-2019-challenges-web

题目环境

这题目是nodejs原型链污染 下面是主要代码

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

const crypto = require('crypto')
const http = require('http')
const mustache = require('mustache')
const getRawBody = require('raw-body')
const _ = require('lodash')
const flag = require('./flag')

const indexTemplate = `
<!doctype html>
<style>
  body {
    background: #172159;
  }
  * {
    color: #fff;
  }
</style>
<h1>your public blueprints!</h1>
<i>(in compliance with military-grade security, we only show the public ones. you must have the unique URL to access private blueprints.)</i>
<br>
{{#blueprints}}
  {{#public}}
    <div><br><a href="/blueprints/{{id}}">blueprint</a>: {{content}}<br></div>
  {{/public}}
{{/blueprints}}
<br><a href="/make">make your own blueprint!</a>
`

const blueprintTemplate = `
<!doctype html>
<style>
  body {
    background: #172159;
    color: #fff;
  }
</style>
<h1>blueprint!</h1>
{{content}}
`

const notFoundPage = `
<!doctype html>
<style>
  body {
    background: #172159;
    color: #fff;
  }
</style>
<h1>404</h1>
`

const makePage = `
<!doctype html>
<style>
  body {
    background: #172159;
    color: #fff;
  }
</style>
<div>content:</div>
<textarea id="content"></textarea>
<br>
<span>public:</span>
<input type="checkbox" id="public">
<br><br>
<button id="submit">create blueprint!</button>
<script>
  submit.addEventListener('click', () => {
    fetch('/make', {
      method: 'POST',
      headers: {
        'content-type': 'application/json',
      },
      body: JSON.stringify({
        content: content.value,
        public: public.checked,
      })
    }).then(res => res.text()).then(id => location='/blueprints/' + id)
  })
</script>
`

// very janky, but it works
const parseUserId = (cookies) => {
  if (cookies === undefined) { // 判断是否未定义
    return null
  }
  const userIdCookie = cookies.split('; ').find(cookie => cookie.startsWith('user_id=')) 
  // 使用;分割并且查找名为"user_id="的值
  if (userIdCookie === undefined) {  // 值为空返回null
    return null
  }
  return decodeURIComponent(userIdCookie.replace('user_id=', '')) // url解码,替换值为空
}

const makeId = () => crypto.randomBytes(16).toString('hex') // 随机hash

// list of users and blueprints
const users = new Map()

http.createServer((req, res) => {
  let userId = parseUserId(req.headers.cookie) // 获取请求cookie
  let user = users.get(userId) // 存放cookie
  if (userId === null || user === undefined) { // 没有Cookie
    // create user if one doesnt exist
    userId = makeId()
    user = {
      blueprints: {
        [makeId()]: {  // hash存储
          content: flag,
        },
      },
    }
    users.set(userId, user) // 设置hash为索引存放content
  }

  // send back the user id
  res.writeHead(200, {
    'set-cookie': 'user_id=' + encodeURIComponent(userId) + '; Path=/', // url编码后的
  })

  if (req.url === '/' && req.method === 'GET') {
    // 列出所有
    res.end(mustache.render(indexTemplate, {
      blueprints: Object.entries(user.blueprints).map(([k, v]) => ({
        id: k,  
        content: v.content,
        public: v.public,
      })),
    }))
  } else if (req.url.startsWith('/blueprints/') && req.method === 'GET') {
    // show an individual blueprint, including private ones
    const blueprintId = req.url.replace('/blueprints/', '')
    if (user.blueprints[blueprintId] === undefined) {
      res.end(notFoundPage)  // 判断是否有id
      return
    }
    res.end(mustache.render(blueprintTemplate, {
      content: user.blueprints[blueprintId].content, // 返回对应id的content
    }))
  } else if (req.url === '/make' && req.method === 'GET') {
    // show the static blueprint creation page
    res.end(makePage)
  } else if (req.url === '/make' && req.method === 'POST') {
    // API used by the creation page
    getRawBody(req, {
      limit: '1mb',
    }, (err, body) => {
      if (err) {
        throw err
      }
      let parsedBody
      try {
        // default values are easier to do than proper input validation
        parsedBody = _.defaultsDeep({  // 数组拷贝,json数据为可控的body
          publiс: false, // default private
          cоntent: '', // default no content
        }, JSON.parse(body))
      } catch (e) {
        res.end('bad json')
        return
      }

      // make the blueprint
      const blueprintId = makeId()
      user.blueprints[blueprintId] = {
        content: parsedBody.content,
        public: parsedBody.public,
      }

      res.end(blueprintId)
    })
  } else {
    res.end(notFoundPage)
  }
}).listen(80, () => {
  console.log('listening on port 80')
})

分析得知,如果没有Cookie则随机生成hash。并且flagblueprints , 在随机生成一个id关联flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

  let userId = parseUserId(req.headers.cookie) // 获取请求cookie
  let user = users.get(userId) // 存放cookie
  if (userId === null || user === undefined) { // 没有Cookie
    // create user if one doesnt exist
    userId = makeId()
    user = {
      blueprints: {
        [makeId()]: {  // hash存储
          content: flag,
        },
      },
    }
    users.set(userId, user) // 设置hash为索引存放content
  }

查看输出的代码,有一个public属性并且``value必须为public`才行, 上面的flag_user是没有这个属性的。

1
2
3
4
5
6
7
8
9

  if (req.url === '/' && req.method === 'GET') {
    // 列出所有
    res.end(mustache.render(indexTemplate, {
      blueprints: Object.entries(user.blueprints).map(([k, v]) => ({
        id: k,  
        content: v.content,
        public: v.public, // 只有公有可见
      })),
    }))

最后是 这里设置默认的publiс默认为false。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 try {
        // default values are easier to do than proper input validation
        parsedBody = _.defaultsDeep({  // 数组拷贝,json数据为可控的body
          publiс: false, // default private
          cоntent: '', // default no content
        }, JSON.parse(body))
      } catch (e) {
        res.end('bad json')
        return
      }

flag键名为content, 在{}包裹中 所以要对{}原型进行注入 使它有public:。js中万物皆对象,constructor属性也是对象才拥有的 对象指向一个函数,指向该对象的构造函数 这里就是Object() , 污染它 添加public属性

1

"constructor":{"prototype":{"public":true}}

image-20230829225505085

构建数据包

image-20230829230607583

回到首页查看全部,就以及有flag了

image-20230829230310472

lodash 原型漏洞

版本小于 4.17.10 参考 https://hackerone.com/reports/380873

🔗参考链接

https://www.cnblogs.com/tr1ple/p/11360881.html#BhRbSi43

https://ce-automne.github.io/2019/11/09/RedPwnCTF-2019-blueprint-WriteUp/

YouTube:

nodejs
Licensed under CC BY-NC-SA 4.0