image.png

    原型污染就是指攻击者通过某种手段修改 JavaScript 对象的 prototype

    只有在下面3个条件同时满足时,漏洞利用才会发生:

    1. 对象递归合并
    2. 属性通过路径定义
    3. 对象克隆
    1. 'use strict';
    3. const express = require('express');
    4. const bodyParser = require('body-parser')
    5. const cookieParser = require('cookie-parser');
    6. const path = require('path');
    9. const isObject = obj => obj && obj.constructor && obj.constructor === Object;
    11. function merge(a, b) {
    12.     for (var attr in b) {
    13.         if (isObject(a[attr]) && isObject(b[attr])) {
    14.             merge(a[attr], b[attr]);
    15.         } else {
    16.             a[attr] = b[attr];
    17.         }
    18.     }
    19.     return a
    20. }
    22. function clone(a) {
    23.     return merge({}, a);
    24. }
    26. // Constants
    27. const PORT = 8080;
    28. const HOST = '0.0.0.0';
    29. const admin = {};
    31. // App
    32. const app = express();
    33. app.use(bodyParser.json())
    34. app.use(cookieParser());
    36. app.use('/', express.static(path.join(__dirname, 'views')));
    37. app.post('/signup', (req, res) => {
    38.     var body = JSON.parse(JSON.stringify(req.body));
    39.     var copybody = clone(body)
    40.     if (copybody.name) {
    41.         res.cookie('name', copybody.name).json({
    42.             "done": "cookie set"
    43.         });
    44.     } else {
    45.         res.json({
    46.             "error": "cookie not set"
    47.         })
    48.     }
    49. });
    50. app.get('/getFlag', (req, res) => {
    51.     var аdmin = JSON.parse(JSON.stringify(req.cookies))
    52.     if (admindmin == 1) {
    53.         res.send("hackim19{}");
    54.     } else {
    55.         res.send("You are not authorized");
    56.     }
    57. });
    58. app.listen(PORT, HOST);
    59. console.log(`Running on http://${HOST}:${PORT}`);

    image.png