It seems that there’s some problem with the parseInt.
Before parseInt, issue have to be less than 9 and after the parseInt we need issue to be less than 10.
After some research we found that using the scientific notation able us to meet the condition.
when the value of issue is
we will craft the issue to be "9.999e-1" which will bypass the first check and after parseint the value of issues will be 9.
Since the value issue now is 9, it will also bypass the second check, and return res.json(article[9])
Web - No Code
from flask import Flask, request, jsonify import re
app = Flask(__name__)
@app.route('/execute', methods=['POST']) defexecute_code(): code = request.form.get('code', '') if re.match(".*[\x20-\x7E]+.*", code): return jsonify({"output": "jk lmao no code"}), 403 result = "" try: result = eval(code) except Exception as e: result = str(e)
return jsonify({"output": result}), 200
if __name__ == "__main__": app.run(host="0.0.0.0", port=1337, debug=False)
re.match(".*[\x20-\x7E]+.*", code)
This regex is using the re.match() function to check if the code string contains any printable ASCII characters. Let’s break down the components:
.*: Matches any character (except for a newline) zero or more times.
[\x20-\x7E]+: This is a character class that matches one or more characters within the hexadecimal range \x20 (space) to \x7E (tilde). This range represents the printable ASCII characters, including letters, digits, punctuation, and some special characters.
By enter a new line will bypass the check of regex
In the mysterious depths of the digital sea, a specialized JavaScript calculator has been crafted by tech-savvy squids. With multiple arms and complex problem-solving skills, these cephalopod engineers use it for everything from inkjet trajectory calculations to deep-sea math. Attempt to outsmart it at your own risk! 🦑
Poking through the website found it uses eval(), in this case, it is vulnerable directly execute javascript codes
Take a look at routes, the /api/calculate accept variable called ‘formula‘ and passed it to the calculatorHelp calculator for processing
In this utils.py states the restriction for proxy_req functions stated previously, it will check if the url parameter contains the restricted keywords in the RESTIRCTED_URLS list. It will then act as a proxy send a request and forward the response back to user.
defproxy_req(url): method = request.method headers = { key: value for key, value in request.headers if key.lower() in ['x-csrf-token', 'cookie', 'referer'] } data = request.get_data()
Now the task seems clearer, we have to craft a SSRF attacks, targeted to the /debug/environment and leak the environment settings that contains the flag.
Firstly, we have to bypass the restriction of RESTRICTED_LIST, it can be easily bypass by using decimal to represent IP address. Hacktrick also provided other methods that represent localhost
Secondly, we cannot directly input the url point to endpoint as it will embedded a reddit infront of our provided user input.
You’ve found a website that lets you input remote templates for rendering. Your task is to exploit this system’s vulnerabilities to access and retrieve a hidden flag. Good luck!
From the description it seems like a Server Side Template Injection.
In function getTpl
It retrieve the page and render the page using html template.
Humanity has exploited our allies, the dart frogs, for far too long, take back the freedom of our lovely poisonous friends. Malicious input is out of the question when dart frogs meet industrialisation. 🐸
In index.php
if (empty($_COOKIE['PHPSESSID'])) { $page = newPageModel; $page->file = '/www/index.html';
The page is deserialize the cookie to render the page.
The url file page being render is being indicate in the file attribute.
Below is the breakdown of the seralized object
- `O:9:"PageModel":1`: - `O`: Denotes an object. - `9`: The lengthofthe serialized string. - `"PageModel"`: Name oftheclass (in this case, "PageModel"). - `1`: Indicates there is1propertyinthe serialized object. - `{s:4:"file";s:15:"/www/index.html";}`: - `s:4:"file";`: Represents a stringwith a lengthof4charactersforthepropertyname"file". - `s:15:"/www/index.html";`: Represents a stringwith a lengthof15charactersforthe value "/www/index.html".
The only field we have to modify is the s:15:"/www/index.html".
Then we can have a control of what is being render in the page.
It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!
In neon.rb file indicate POST method route seems using ERB template engine to render user inputs.
classNeonControllers < Sinatra::Base
configure do set :views, "app/views" set :public_dir, "public" end
get '/'do @neon = "Glow With The Flow" erb :'index' end
post '/'do if params[:neon] =~ /^[0-9a-z ]+$/i @neon = ERB.new(params[:neon]).result(binding) else @neon = "Malicious Input Detected" end erb :'index' end
The regex match the start and the end of the line, and matches alphanumeric and whitespace only.
Yeah, manage to read the file, now we can just change /etc/passwd to /flag.txt and we got the flag.
C.O.P - Easy
The C.O.P (Cult of Pickles) have started up a new web store to sell their merch. We believe that the funds are being used to carry out illicit pickle-based propaganda operations! Investigate the site and try and find a way into their operation!
Perform a blackbox approach first, found the site shows the ID of the item.
Found the item to be listed on the URL
http://localhost:1337/view/1
Tried with sqlmap to identify any possible SQLi.
However there’s some problem with the URL, as it dont have paramter to inject, need to manually added a * in burp request and save it
In item.html the template engine deserialize the items and render on webpage.
{% setitem = product | pickle %}
Since it dont have any restriction, we can passed in a base64 encoded object that trigger a os.system command to achieve RCE.
In the payload class, we use the __reduce__ method to create and return a tuple that includes the operating system command as an argument. Then, from that payload class, we create an object, serialize and encode it. Once again, using Base64, we’ll just need the input from there.
It’s that time of the year again! Write a letter to the Easter bunny and make your wish come true! But be careful what you wish for because the Easter bunny’s helpers are watching!
The / path define that, it will render the index.html and pass the CDN url to it.
To be more detailed as not familiar with node js syntax.
The $$ operator used here is the Nullish Coalescing Operator in javascript. It returns the value if the left hand operand if it’s not null or undefined. If the left-hand side is null or uundefined it returns the right hand operand in this case is 80
