*ez_json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
const express = require('express');
const app = express();
var bodyParser = require('body-parser');
app.use(bodyParser.json());
const fs = require("fs");
const session = require("express-session");
const cookieParser = require('cookie-parser');
session_secret = Math.random().toString(36).substr(2);
app.use(cookieParser(session_secret));
app.use(session({
secret: session_secret,
resave: true,
saveUninitialized: true
}));
function copyArray(arr1) {
var arr2 = new Array(arr1.length);
for (var i = 0; i < arr1.length; i++) {
if (arr1[i] instanceof Object) {
arr2[i] = copyArray(arr1[i]);
} else {
arr2[i] = arr1[i];
}
}
return arr2;
}
app.get('/', function(req, res) {
res.send('see `/src`');
});
app.post('/get_admin', function(req, res) {
if (req.body.name) {
req.session.user = {
"username": req.body.name
};
const properties = req.body.properties;
for (let i = 0; i < properties.length; i++) {
if (properties[i] == 'admin') {
res.send('cant set admin by self');
return;
}
}
req.session.user.properties = copyArray(properties);
res.send('Success');
} else {
res.send("input username");
}
console.log(req.session.user)
console.log(req.session.user.__proto__)
});
app.post('/flag', function(req, res) {
if (req.session.user && req.session.user.properties) {
for (var i = 0; i < req.session.user.properties.length; i++) {
if (req.session.user.properties[i] == 'admin') {
try {
const data = fs.readFileSync('/flag');
res.send(data)
} catch (err) {
res.send("fail to open flag")
console.error(err);
}
}
}
} else {
res.send("not vm2 tester rights");
}
});
app.get('/src', function(req, res) {
var data = fs.readFileSync('app.js');
res.send(data.toString());
});
app.listen(3000, function() {
console.log('start listening on port 3000');
});
|
提示说不是原型链污染,分析代码也得知并不是沙箱逃逸