*ez_json
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
| const express = require('express'); const app = express(); var bodyParser = require('body-parser');
app.use(bodyParser.json());
const fs = require("fs"); const session = require("express-session"); const cookieParser = require('cookie-parser');
session_secret = Math.random().toString(36).substr(2);
app.use(cookieParser(session_secret)); app.use(session({ secret: session_secret, resave: true, saveUninitialized: true }));
function copyArray(arr1) { var arr2 = new Array(arr1.length); for (var i = 0; i < arr1.length; i++) { if (arr1[i] instanceof Object) { arr2[i] = copyArray(arr1[i]); } else { arr2[i] = arr1[i]; } } return arr2; }
app.get('/', function(req, res) { res.send('see `/src`'); });
app.post('/get_admin', function(req, res) { if (req.body.name) { req.session.user = { "username": req.body.name }; const properties = req.body.properties; for (let i = 0; i < properties.length; i++) { if (properties[i] == 'admin') { res.send('cant set admin by self'); return; } } req.session.user.properties = copyArray(properties); res.send('Success'); } else { res.send("input username"); } console.log(req.session.user) console.log(req.session.user.__proto__) });
app.post('/flag', function(req, res) { if (req.session.user && req.session.user.properties) { for (var i = 0; i < req.session.user.properties.length; i++) { if (req.session.user.properties[i] == 'admin') { try { const data = fs.readFileSync('/flag'); res.send(data) } catch (err) { res.send("fail to open flag") console.error(err); } } } } else { res.send("not vm2 tester rights"); } });
app.get('/src', function(req, res) { var data = fs.readFileSync('app.js'); res.send(data.toString()); });
app.listen(3000, function() { console.log('start listening on port 3000'); });
|
提示说不是原型链污染,分析代码也得知并不是沙箱逃逸