SodaFactory
第一次遇见Nodejs的ssti,基本功不扎实,没能构造出可以执行的语句,记录一下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| const express = require('express')
const soda = require('sodajs/node');
const app = express()
app.use(express.static('public'))
app.use(express.urlencoded({
extended: true
}))
var images = {
coke:"https://kellysdistributors.com.au/wp-content/uploads/387-1.jpg",
pepsi:"https://static.winc.com.au/pi/70/0f795e8e7cbb8d4c874032865e2c8a246d6416-155505/lgsq.jpg",
fanta:"https://cdn.shopify.com/s/files/1/2070/6751/products/Fanta.jpg?v=1545098502",
}
app.post('/makeSoda', (req, res) => {
var {name, brand} = req.body;
img = images[brand];
res.send(soda(`
<title>${name}</title> //存在模板注入
<img src='${img}' alt='${name}'>
`,{}))
})
app.listen(process.env.PORT,'0.0.0.0', () => {
console.log(`Listening`)
})
|
赛后看wp,是关于通过constructor函数的应用
通过构造函数构造返回环境变量获取flag。
