Open roaris opened 3 months ago
index.js
const path = require('path');
const express = require('express');
const pug = require('pug');
const { unflatten } = require('flat');
const router = express.Router();
router.get('/', (req, res) => {
return res.sendFile(path.resolve('views/index.html'));
});
router.post('/api/submit', (req, res) => {
const { artist } = unflatten(req.body);
if (artist.name.includes('Haigh') || artist.name.includes('Westaway') || artist.name.includes('Gingell')) {
return res.json({
'response': pug.compile('span Hello #{user}, thank you for letting us know!')({ user: 'guest' })
});
} else {
return res.json({
'response': 'Please provide us with the full name of an existing member.'
});
}
});
module.exports = router;
これだけでフラグを読み取れるのか?という気がする unflattenについて : https://www.npmjs.com/package/flat pugはNode.jsのテンプレートエンジン : https://github.com/pugjs/pug
pug exploit
で検索するとhttps://security.snyk.io/vuln/SNYK-JS-PUG-1071616 が出てきた
影響を受けるのはバージョン3.0.1未満
yarn.lockを見ると、バージョン3.0.0だった
pug@^3.0.0:
version "3.0.0"
resolved "https://registry.yarnpkg.com/pug/-/pug-3.0.0.tgz#101eecd7a236cd9906e420e17799d4d57f2b7d93"
integrity sha512-inmsJyFBSHZaiGLaguoFgJGViX0If6AcfcElimvwj9perqjDpUpw79UIEDZbWFmoGVidh08aoE+e8tVkjVJPCw==
dependencies:
pug-code-gen "^3.0.0"
pug-filters "^4.0.0"
pug-lexer "^5.0.0"
pug-linker "^4.0.0"
pug-load "^3.0.0"
pug-parser "^6.0.0"
pug-runtime "^3.0.0"
pug-strip-comments "^2.0.0"
flatにも脆弱性があるらしい https://github.com/advisories/GHSA-2j2x-2gpw-g8fm 影響を受けるのはバージョン5.0.1未満 yarn.lockを見ると、バージョン5.0.0だった
flat@5.0.0:
version "5.0.0"
resolved "https://registry.yarnpkg.com/flat/-/flat-5.0.0.tgz#dab7d71d60413becb0ac2de9bf4304495e3af6af"
integrity sha512-6KSMM+cHHzXC/hpldXApL2S8Uz+QZv+tq5o/L0KQYleoG+GcwrnIJhTWC7tCOiKQp8D/fIvryINU1OZCCwevjA==
dependencies:
is-buffer "~2.0.4"
https://github.com/nandan-desai-extras/prototype-pollution/blob/master/gunship-walkthrough.md writeup読んだけど、pugのソースコードを追っていく必要があるらしい
https://app.hackthebox.com/challenges/Gunship