00. 문제 파일
웹 1단계
01. 분석
뭐가 많아도 차근차근 보면 된다
// ag.js
module.exports = [
{
"id": 1,
"name": "FLAG",
"description": "DH{fake_flag}"
},
{
"id": 2,
"name": "DRAG",
"description": "To pull something along forcefully, often on the ground or another surface, causing friction or resistance. It also refers to the delay in performance or response time."
},
{
"id": 3,
"name": "SLAG",
"description": "The waste material produced by the smelting process, which involves separating metal from its ore. Slag is typically a mixture of metal oxides and silicon dioxide."
},
{
"id": 4,
"name": "SWAG",
"description": "Refers to stylish confidence in one's appearance or demeanor. It can also mean promotional goods or items given away for free as a form of advertising."
}
]// app.js
const express = require("express")
const words = require("./ag")
const app = express()
const PORT = 3000
app.use(express.urlencoded({ extended: true }))
function search(words, leg) {
return words.find(word => word.name === leg.toUpperCase())
}
app.get("/",(req, res)=>{
return res.send("hi guest")
})
app.post("/shop",(req, res)=>{
const leg = req.body.leg
if (leg == 'FLAG'){
return res.status(403).send("Access Denied")
}
const obj = search(words,leg)
if (obj){
return res.send(JSON.stringify(obj))
}
return res.status(404).send("Nothing")
})
app.listen(PORT,()=>{
console.log(`[+] Started on ${PORT}`)
})//nginx.conf
events {
worker_connections 1024;
}
http {
server {
listen 80;
listen [::]:80;
server_name _;
location = /shop {
deny all;
}
location = /shop/ {
deny all;
}
location / {
proxy_pass http://app:3000/;
}
}
}
대충 분석해보면 /shop이나 /shop/에 들어가면 deny all; 대충 아무것도 안되도록 해놓은 것 같다
/shop에서 leg가 flag이면 FLAG를 준다
02. Exploit
/shop필터링 우회가 가장 큰 핵심이다
-> 구글링 ㄱㄱ
/shop은 안되지만 대문자는 된다
/SHOP은 된다
/shop은 안된다
하하 /SHOP은 된다
냠
03. Review
/ 필터링 우회를 알게 되었다
postman을 사용하는 방법을 알게되었다
post를 해야되는데 get을 해서 왜 안되지?를 반복했ㄷ..
KDMHS 23 WP