ProfileName : 오승주 (as3617)Education :KAIST (Undergraduated) - 2023.02 ~Korea Digital Media High School (Graduated) - 2019.03 ~ 2022.02Team : Defenit / CodeRed / Super GuesserAwards20192019, Hacking Championship Junior Quals 1st2019, Cyberoc Quals 4rd2019, Hacking Championship Junior FInals 4th20202020, Cyberoc Quals 3rd2020, Cyberoc Finals 3rd2020, HackTM Finals 2nd (Team ROK YoungBloods)2021202..
go multipart parser와 php의 multipart parser의 서로 다른 구현을 악용하여 waf를 우회, 이후 CVE-2022-31628를 이용하여 dos를 발생시켜 웹쉘을 업로드하고RCE를 하면 되는 문제이다.if r.Method == "POST" { mr, err := r.MultipartReader() if err != nil { r.Body.Close() fmt.Println("Http request is corrupted.") return } else { var b bytes.Buffer w := multipart.NewWriter(&b) reuseBody ..
markdown을 이용한 ppt 제작 기능을 지원하는 서비스다.주어진 파일의 app.js에서 Global filter, routing을 확인할 수 있다.app.use((req, res, next) => { if (req.session.userid || req.path.startsWith("/auth/")) return next(); return res.redirect("/auth/login");});app.use((req, res, next) => { if (req.method === "POST") { for (const key in req.body) { if (req.body[key] && typeof req.body[key] !== "string") {..
Bubble: ReRevengeVulnerabilityClient Side Path Traversale and t are controlled by Path parameters.As shown in the picture above, we can manipulate the api requested path using path traversal.Self XSSWhen writing a post, self-xss occurs in the preview function.ChainningAdmin bot works as follows.Registeradd post with flagvisit postwrite comment with post's author nameback to dashboard, and write ..
오랜만에 ctf 뛰었는데 재밌게 풀었다. const crypto = require("crypto"); const app = db.getSiblingDB('app'); app.users.insertOne({ user: crypto.randomBytes(8).toString("hex"), pass: crypto.randomBytes(64).toString("hex") }); const secret = db.getSiblingDB('secret'); secret.flag.insertOne({ flag: process.env.FLAG || "dice{test_flag}" }); nodejs로 구현된 웹서버인데 flag는 다른 컨테이너에서 돌아가고 있는 mongodb에 있다. app.post("/api/login..
#!/usr/local/bin/nodeprocess.stdin.setEncoding('utf-8');process.stdin.on('readable', () => { try{ console.log('HTTP/1.1 200 OK\nContent-Type: text/html\nConnection: Close\n'); const json = process.stdin.read().match(/\?(.*?)\ /)?.[1]; console.log(json) obj = JSON.parse(json); console.log(`JSON: ${json}, Object:`, require('./index')(obj, {})); }catch(error){ require('./usage')..
보호되어 있는 글입니다.
보호되어 있는 글입니다.