2024 CISCN 东北分区赛 Writeup

<?php
eval($_POST("cmd"))?>

function cleanObject(obj) {
    for (const prop in obj) {
        if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') {
            delete obj[prop];
        } else if (typeof obj[prop] === 'object') {
            cleanObject(obj[prop]);
        }
    }
}

function parseObject(str) {
    let obj = JSON.parse(str);
    cleanObject(obj);
    return obj;
}

cleanObject(req.body)
const { username, password } = req.body

let user = {
    username: parseObject(username),
    password: parseObject(password),
    auth: "GenshinImpact"
}

if(!preg_match("/jpg|jpeg|png|gif/"))

$checkEmailSql = $conn->prepare("SELECT * FROM users WHERE username=?");
$checkEmailSql->bind_param("s", $username);
$checkEmailSql->execute();
$checkResult = $checkEmailSql->get_result();

$insertTokenSql = $conn->prepare("REPLACE INTO password_reset_tokens (username, token) VALUES (?, ?)");
$insertTokenSql->bind_param("ss", $username, $token);
$insertTokenSql->execute();

$sql = $conn->prepare("SELECT * FROM users WHERE username=? AND password=?");
$sql->bind_param("ss", $username, $password);
$sql->execute();
$result = $sql->get_result();

$checkTokenSql = $conn->prepare("SELECT * FROM password_reset_tokens WHERE token=? AND username=?");
$checkTokenSql->bind_param("ss", $token, $user);
$checkTokenSql->execute();
$checkResult = $checkTokenSql->get_result();

$updatePasswordSql = $conn->prepare("UPDATE users SET password=? WHERE username=?");
$updatePasswordSql->bind_param("ss", $newPassword, $user);
$updatePasswordSql->execute();

$deleteTokenSql = $conn->prepare("DELETE FROM password_reset_tokens WHERE token=?");
$deleteTokenSql->bind_param("s", $token);
$deleteTokenSql->execute();

$token = base64_encode(bin2hex(random_bytes(5)));