首页 > 其他分享 >maplectf复现

maplectf复现

时间:2022-09-04 21:15:46浏览次数:72  
标签:cookies req maplectf res finalhonk honk cookie 复现

mapleba ctf 2022[honksay]

进入题目

可以看到我们可以传入一个url,然后goose会去访问我们上传的url,像这种能够上传url的题目,一般就三种类型xss,ssrf,csrf。这道题目给了源码,我们先看源码

const express = require("express");
const cookieParser = require('cookie-parser');
const goose = require("./goose");
const clean = require('xss');

const app = express();
app.use(cookieParser());
app.use(express.urlencoded({extended:false}));

const PORT = process.env.PORT || 9988;

const headers = (req, res, next) => {
    res.setHeader('X-Frame-Options', 'DENY');
    res.setHeader('X-Content-Type-Options', 'nosniff');
    return next();
  }
app.use(headers);
app.use(express.static('public'))

const template = (goosemsg, goosecount) => `
<html>
<head>
<style>
H1 { text-align: center }
.center {
    display: block;
    margin-left: auto;
    margin-right: auto;
    width: 50%;
  }

  body {
    place-content:center;
    background:#111;
  }

  * {
    color:white;
  }

</style>
</head>
${goosemsg === '' ? '': `<h1> ${goosemsg} </h1>`}
<img src='/images/goosevie.png' width='400' height='700' class='center'></img>
${goosecount === '' ? '': `<h1> You have honked ${goosecount} times today </h1>`}

<form action="/report" method=POST style="text-align: center;">
  <label for="url">Did the goose say something bad? Give us feedback.</label>
  <br>
  <input type="text" id="site" name="url" style-"height:300"><br><br>
  <input type="submit" value="Submit" style="color:black">
</form>
</html>
`;


app.get('/', (req, res) => {
    if (req.cookies.honk){
        //construct object
        let finalhonk = {};
        if (typeof(req.cookies.honk) === 'object'){
            finalhonk = req.cookies.honk
        } else {
            finalhonk = {
                message: clean(req.cookies.honk), 
                amountoftimeshonked: req.cookies.honkcount.toString()
            };
        }
        res.send(template(finalhonk.message, finalhonk.amountoftimeshonked));
    } else {
        const initialhonk = 'HONK';
        res.cookie('honk', initialhonk, {
            httpOnly: true
        });
        res.cookie('honkcount', 0, {
            httpOnly: true
        });
        res.redirect('/');
    }
});

app.get('/changehonk', (req, res) => {
    res.cookie('honk', req.query.newhonk, {
        httpOnly: true
    });
    res.cookie('honkcount', 0, {
        httpOnly: true
    });
    res.redirect('/');
});

app.post('/report', (req, res) => {
    const url = req.body.url;
    goose.visit(url);
    res.send('honk');
});

app.listen(PORT, () => console.log((new Date())+`: Web/honksay server listening on port ${PORT}`));

app.js

const puppeteer = require('puppeteer');
const FLAG = process.env.FLAG || "maple{fake}";

async function visit(url) {
  let browser, page;
  return new Promise(async (resolve, reject) => {
    try {
      browser = await puppeteer.launch({
        headless: true,
        args: [
          '--no-sandbox',
          '--disable-default-apps',
          '--disable-dev-shm-usage',
          '--disable-extensions',
          '--disable-gpu',
          '--disable-sync',
          '--disable-translate',
          '--hide-scrollbars',
          '--metrics-recording-only',
          '--mute-audio',
          '--no-first-run',
          '--safebrowsing-disable-auto-update'
                ]
            });
        page = await browser.newPage();
        await page.setCookie({
            name: 'flag',
            value: FLAG,
            domain: 'localhost',
            samesite: 'none'
        });
        await page.goto(url, {waitUntil : 'networkidle2' }).catch(e => console.log(e));
        console.log(page.cookies());
        await new Promise(resolve => setTimeout(resolve, 500));
        console.log("admin is visiting url:");
        console.log(url);
        await page.close();
        
        console.log("admin visited url");
        page = null;
    } catch (err){
        console.log(err);
    } finally {
        if (page) await page.close();
        console.log("page closed");
        if (browser) await browser.close();
        console.log("browser closed");
        //no rejectz
        resolve();
        console.log("resolved");
    }
  });
};


module.exports = { visit }

goose.js

可以看到flag是写在goose的cookie里的,这就说明这道题是要我们用xss把goose的cookie带出来,但是xss的前提是需要执行js代码。如果我们直接传入xss语句,goose会直接访问我们传入的语句,并不会执行js代码,所以我们现在需要寻找一个能够执行js代码的地方,也就是能渲染到html的地方。

app.get('/', (req, res) => {
    if (req.cookies.honk){
        //construct object
        let finalhonk = {};
        if (typeof(req.cookies.honk) === 'object'){
            finalhonk = req.cookies.honk
        } else {
            finalhonk = {
                message: clean(req.cookies.honk), 
                amountoftimeshonked: req.cookies.honkcount.toString()
            };
        }
        res.send(template(finalhonk.message, finalhonk.amountoftimeshonked));

我们可以看到,再/路由中用了template我们跟进到template

const template = (goosemsg, goosecount) => `
<html>
<head>
<style>
H1 { text-align: center }
.center {
    display: block;
    margin-left: auto;
    margin-right: auto;
    width: 50%;
  }

  body {
    place-content:center;
    background:#111;
  }

  * {
    color:white;
  }

</style>
</head>
${goosemsg === '' ? '': `<h1> ${goosemsg} </h1>`}
<img src='/images/goosevie.png' width='400' height='700' class='center'></img>
${goosecount === '' ? '': `<h1> You have honked ${goosecount} times today </h1>`}

<form action="/report" method=POST style="text-align: center;">
  <label for="url">Did the goose say something bad? Give us feedback.</label>
  <br>
  <input type="text" id="site" name="url" style-"height:300"><br><br>
  <input type="submit" value="Submit" style="color:black">
</form>
</html>
`;

发现是一个html的渲染,我们可以传入两个参数进行渲染,在/路由是由finalhonk.message和finalhonk.amountoftimeshonked这两个参数进行渲染的

我们只要让这两个参数变成xss语句,再让goose去访问/路由就行了。接下来看看这两个值是否是我们可以控制的

  let finalhonk = {};
        if (typeof(req.cookies.honk) === 'object'){
            finalhonk = req.cookies.honk
        } else {
            finalhonk = {
                message: clean(req.cookies.honk), 
                amountoftimeshonked: req.cookies.honkcount.toString()
            };
        }

可以看到finalhonk是从cookie中得到的,但是我们只能更改自己的cookie,不能改goose的cookie,所以我们还要找一个能更改cookie的路由

app.get('/changehonk', (req, res) => {
    res.cookie('honk', req.query.newhonk, {
        httpOnly: true
    });
    res.cookie('honkcount', 0, {
        httpOnly: true
    });
    res.redirect('/');
});

我们找到了changehonk这个路由可以通过get的newhonk参数来更改cookie,这样我们就能进行xss了

先尝试能不能弹窗

成功

接下来试试能不能带出cookie,记得要url编码一下

成功了

接着试试goose

发现带不出cookie,但是用fetch发送请求,把cookie放在body里就可以。

标签:cookies,req,maplectf,res,finalhonk,honk,cookie,复现
From: https://www.cnblogs.com/ragna30k/p/16654472.html

相关文章

  • vulhub漏洞复现记录
    vulhub复现activemqCVE-2015-5254ActiveMQ是什么?https://zhuanlan.zhihu.com/p/79264007ActiveMQ是Apache出品,最流行的,能力强劲的开源消息总线。ActiveMQ是一个......
  • CVE-2022-22978 Spring-Security 漏洞复现
    1说明在SpringSecurity中使用RegexRequestMatcher且规则中包含带点号的正则表达式时,攻击者可以通过构造恶意数据包绕过身份认证2环境搭建环境搭建地址可以参考如下的......
  • 网鼎杯 白虎junk复现
    Junk利用int3进行父子进程进行通信来实现smc的操作手动patch会遇到如下情况第一会遇到调用函数情况,需要手动审查给call指令让出位置第二大多采用的都是循环加密所以......
  • [CTF]2022 CNSS夏令营 Web&Reverse 复现wp
    写在前面很有趣的一次(大)学前教育,作为一个22级泥电新生,对CTF网安类的东西完全是一窍不通,进新生群然后就被拉进来Van了.结果没想到还挺好玩(可能是我这几天太无聊......
  • CVE-2017-7921 海康威视(Hikvision)摄像头漏洞复现
    今天看到了海康威视又出了新漏洞——CVE-2021-36260,突然心血来潮想要复现一下,结果搜到了一个旧的漏洞——CVE-2017-7921,而且发现仍然有不少海康威视摄像头后台没有修补这个......
  • Windows RDP的RCE漏洞分析和复现(CVE-2019-0708)
    0x00漏洞描述Windows系列服务器于2019年5月15号,被爆出高危漏洞,该漏洞影响范围较广如:windows2003、windows2008、windows2008R2、windowsxp系统都会遭到攻击,该服务器漏......
  • 2015 HITCON BabyFirst-复现
    解题过程代码分析<?php$dir='sandbox/'.$_SERVER['REMOTE_ADDR'];if(!file_exists($dir))mkdir($dir,recursive:true);chdir($dir);$args=$_GET['a......
  • 【内网安全】5985-Winrm远程命令后门复现运用
    image-20220826092713373【内网安全】5985-Winrm远程命令后门复现运用和3389端口的rdp一样,Winrm也是WindowsServer2003R2以上版本中一种方便远程管理的服务,Winrm基......
  • 复现CVE-2022-10270(向日葵远程代码执行漏洞)
    警告请勿使用本文提到的内容违反法律。本文不提供任何担保。漏洞描述    向日葵是一款免费的,集远程控制电脑手机、远程桌面连接、远程开机、远程管理、支持内网......
  • log4j漏洞原理复现
    环境搭建https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce直接用idea打开,build即可然后运行即可,成功触发漏洞漏洞跟踪跟踪漏洞触发函数发现接口......