Node.js原型链污染漏洞深入解析<\/h1>

一、Node.js基础概念<\/h2>

1. Node.js简介<\/h3>

Node.js是基于Chrome V8引擎的JavaScript运行时环境<\/li>
特点：事件驱动、非阻塞I\/O模型<\/li>

模块系统：通过

require<\/code>引入第三方模块<\/li>
<\/ul>
2. 同步与异步操作<\/h3>

同步<\/strong>：阻塞式操作，顺序执行
var<\/span> data<\/span> =<\/span> fs<\/span>.readFileSync<\/span>('file.txt'<\/span>);
<\/span><\/span><\/code><\/pre><\/li>
异步<\/strong>：非阻塞式操作，通过回调函数处理结果
fs<\/span>.readFile<\/span>('file.txt'<\/span>, function<\/span>(err<\/span>, data<\/span>) { ... });
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3. 关键模块<\/h3>
fs模块（文件系统）<\/h4>

提供文件操作功能<\/li>
同步\/异步方法对应：

readFileSync<\/code> \/ readFile<\/code><\/li>
writeFileSync<\/code> \/ writeFile<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
child_process模块（子进程）<\/h4>

创建子进程的方法：

异步：spawn<\/code>, exec<\/code>, execFile<\/code>, fork<\/code><\/li>
同步：spawnSync<\/code>, execSync<\/code>, execFileSync<\/code><\/li>
<\/ul>
<\/li>
安全风险：可能导致命令执行漏洞<\/li>
<\/ul>
二、JavaScript原型链机制<\/h2>
1. 核心概念<\/h3>


prototype<\/strong>：函数特有属性，指向原型对象<\/p>
function<\/span> Food<\/span>() { this<\/span>.bar<\/span> =<\/span> 1<\/span>; }
<\/span><\/span>Food<\/span>.prototype<\/span>.bar2<\/span> =<\/span> 2<\/span>;
<\/span><\/span><\/code><\/pre><\/li>

proto<\/strong><\/strong>：对象属性，指向构造函数的原型对象<\/p>
let<\/span> food<\/span> =<\/span> new<\/span> Food<\/span>();
<\/span><\/span>console<\/span>.log<\/span>(food<\/span>.__proto__<\/span> ===<\/span> Food<\/span>.prototype<\/span>); \/\/ true
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. 原型链继承<\/h3>

查找机制：

查找对象自身属性<\/li>
沿__proto__<\/code>向上查找原型链<\/li>
直到Object.prototype<\/code>（终点为null）<\/li>
<\/ol>
<\/li>
<\/ul>
function<\/span> Parent<\/span>() { this<\/span>.parentProp<\/span> =<\/span> 1<\/span>; }
<\/span><\/span>function<\/span> Child<\/span>() { this<\/span>.childProp<\/span> =<\/span> 2<\/span>; }
<\/span><\/span>Child<\/span>.prototype<\/span> =<\/span> new<\/span> Parent<\/span>();
<\/span><\/span>
<\/span><\/span>let<\/span> obj<\/span> =<\/span> new<\/span> Child<\/span>();
<\/span><\/span>console<\/span>.log<\/span>(obj<\/span>.parentProp<\/span>); \/\/ 通过原型链查找到
<\/span><\/span><\/span><\/code><\/pre>三、原型链污染漏洞原理<\/h2>
1. 基本概念<\/h3>
通过修改对象的原型属性，影响所有继承该原型的对象<\/p>
2. 漏洞示例<\/h3>
let<\/span> obj1<\/span> =<\/span> { a<\/span>:<\/span> 1<\/span> };
<\/span><\/span>obj1<\/span>.__proto__<\/span>.polluted<\/span> =<\/span> "污染值"<\/span>;
<\/span><\/span>
<\/span><\/span>let<\/span> obj2<\/span> =<\/span> {};
<\/span><\/span>console<\/span>.log<\/span>(obj2<\/span>.polluted<\/span>); \/\/ 输出"污染值"
<\/span><\/span><\/span><\/code><\/pre>3. 污染途径<\/h3>

通过__proto__<\/code>属性直接修改<\/li>
通过不安全的对象合并\/复制操作<\/li>
<\/ul>
四、实战案例分析<\/h2>
案例1：CTFSHOW Web334<\/h3>

漏洞点：大小写转换绕过
\/\/ 检查逻辑
<\/span><\/span><\/span><\/span>name<\/span> !==<\/span> 'CTFSHOW'<\/span> &&<\/span> item<\/span>.username<\/span> ===<\/span> name<\/span>.toUpperCase<\/span>()
<\/span><\/span><\/code><\/pre><\/li>
绕过方法：使用ctfshow<\/code>等非全大写形式登录<\/li>
<\/ul>
案例2：CTFSHOW Web335\/336<\/h3>

漏洞点：eval<\/code>命令执行<\/li>
绕过方法：
\/\/ 使用同步方法执行命令
<\/span><\/span><\/span><\/span>require<\/span>('child_process'<\/span>).execSync<\/span>('ls'<\/span>)
<\/span><\/span>
<\/span><\/span>\/\/ 或使用spawnSync
<\/span><\/span><\/span><\/span>require<\/span>('child_process'<\/span>).spawnSync<\/span>('ls'<\/span>).stdout<\/span>.toString<\/span>()
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
案例3：CTFSHOW Web337<\/h3>

漏洞点：MD5比较绕过<\/li>
利用数组特性绕过严格比较：
?a[]=1&b[]=2
<\/code><\/pre>
<\/li>
<\/ul>
案例4：CTFSHOW Web338（原型链污染）<\/h3>

漏洞代码：
utils<\/span>.copy<\/span>(user<\/span>, req<\/span>.body<\/span>);
<\/span><\/span>if<\/span>(secret<\/span>.ctfshow<\/span> ===<\/span> '36dboy'<\/span>) { ... }
<\/span><\/span><\/code><\/pre><\/li>
攻击Payload：
{
<\/span><\/span>  "__proto__"<\/span>: {
<\/span><\/span>    "ctfshow"<\/span>: "36dboy"<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
五、防御措施<\/h2>

避免使用不安全的对象合并函数<\/li>
冻结原型对象：
Object.freeze<\/span>(Object.prototype<\/span>);
<\/span><\/span><\/code><\/pre><\/li>
使用Object.create(null)<\/code>创建无原型对象<\/li>
对用户输入进行严格过滤和验证<\/li>
使用hasOwnProperty<\/code>检查对象自身属性<\/li>
<\/ol>
六、扩展学习<\/h2>


其他Node.js常见漏洞：<\/p>

模板注入（SSTI）<\/li>
不安全的模块导入<\/li>
路径遍历<\/li>
<\/ul>
<\/li>

深入研究：<\/p>

V8引擎工作机制<\/li>
JavaScript原型继承模型<\/li>
Node.js事件循环机制<\/li>
<\/ul>
<\/li>
<\/ol>
通过深入理解原型链机制和Node.js运行原理，可以更好地识别和防御此类安全漏洞。<\/p>

Node.js原型链污染漏洞深入解析<\/h1>

一、Node.js基础概念<\/h2>

3. 关键模块<\/h3>

二、JavaScript原型链机制<\/h2>

三、原型链污染漏洞原理<\/h2>

1. 基本概念<\/h3> 通过修改对象的原型属性，影响所有继承该原型的对象<\/p>

四、实战案例分析<\/h2>

1. 基本概念<\/h3>
通过修改对象的原型属性，影响所有继承该原型的对象<\/p>