[UnionCTF2021]Cr0wnAir
最近天天被外国比赛暴打。。。。这次UnionCTF两个web,一个sqlite的union注入,零过滤,百度的payload都能打通,还有就是这个题,还蛮有意思的,后面这步利用感觉还比较实用,学习了
源码
贴一部分
checkin.js
const pattern = {
firstName: /^\w{1,30}$/,
lastName: /^\w{1,30}$/,
passport: /^[0-9]{9}$/,
ffp: /^(|CA[0-9]{8})$/,
extras: [
{sssr: /^(BULK|UMNR|VGML)$/},
],
};
function isSpecialCustomer(passport, frequentFlyerNumber) {
return false;
}
function createToken(passport, frequentFlyerNumber) {
var status = isSpecialCustomer(passport, frequentFlyerNumber) ? "gold" : "bronze";
var body = {"status": status, "ffp": frequentFlyerNumber};
return jwt.encode(body, config.privkey, 'RS256');
}
.....
if (jpv.validate(data, pattern, { debug: true, mode: "strict" })) {
if (data["firstName"] == "Tony" && data["lastName"] == "Abbott") {
var response = {msg: "You have successfully checked in! Please remember not to post your boarding pass on social media."};
} else if (data["ffp"]) {
var response = {msg: "You have successfully checked in. Thank you for being a Cr0wnAir frequent flyer."};
for(e in data["extras"]) {
if (data["extras"][e]["sssr"] && data["extras"][e]["sssr"] === "FQTU") {
var token = createToken(data["passport"], data["ffp"]);
var response = {msg: "You have successfully checked in. Thank you for being a Cr0wnAir frequent flyer. Your loyalty has been rewarded and you have been marked for an upgrade, please visit the upgrades portal.", "token": token};
}
}