CATCTF wife原型链污染

原型链污染原理：https://drun1baby.github.io/2022/12/29/JavaScript-%E5%8E%9F%E5%9E%8B%E9%93%BE%E6%B1%A1%E6%9F%93/

如下代码，prototype是newClass类的一个属性。newClass 实例化的对象 newObj 的 .__proto__ 指向 newClass 类的 prototype

<pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang="javascript" cid="n22" mdtype="fences" style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; box-sizing: border-box; overflow: visible; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; margin-top: 0px; margin-bottom: 20px; font-size: 0.9rem; display: block; break-inside: avoid; text-align: left; white-space: normal; background-color: rgb(51, 51, 51); padding: 10px 10px 10px 30px; width: inherit; caret-color: rgb(184, 191, 198); color: rgb(184, 191, 198); position: relative !important;">function newClass() {this.test = 1;
}var newObj = new newClass();</pre>

JSON 解析的情况下，__proto__ 会被认为是一个真正的“键名”，而不代表“原型”。如果是let o2 = {a: 1, "__proto__": {b: 2}}则__proto__会被认为是o2的原型。如果作为键名（不会被解析）就会作为子类的原型

<pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang="javascript" cid="n24" mdtype="fences" style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; box-sizing: border-box; overflow: visible; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; margin-top: 0px; margin-bottom: 20px; font-size: 0.9rem; display: block; break-inside: avoid; text-align: left; white-space: normal; background-color: rgb(51, 51, 51); padding: 10px 10px 10px 30px; width: inherit; caret-color: rgb(184, 191, 198); color: rgb(184, 191, 198); position: relative !important;">let o1 = {}
let o2 = JSON.parse('{"a": 1, "proto": {"b": 2}}')
merge(o1, o2)
console.log(o1.a, o1.b)o3 = {}
console.log(o3.b)</pre>

merge用于合并对象

merge 操作是最常见可能控制键名的操作，也最能被原型链攻击，很多常见的库都存在这个问题。

原型链污染

CATCTF 2022 wife

靶场：https://adworld.xctf.org.cn/challenges/details?hash=e5ba95f8-884a-11ed-ab28-000c29bc20bf&task_category_id=3

注册部分的代码：

<pre class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" lang="js" cid="n31" mdtype="fences" style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; box-sizing: border-box; overflow: visible; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; margin-top: 0px; margin-bottom: 20px; font-size: 0.9rem; display: block; break-inside: avoid; text-align: left; white-space: normal; background-color: rgb(51, 51, 51); padding: 10px 10px 10px 30px; width: inherit; caret-color: rgb(184, 191, 198); color: rgb(184, 191, 198); position: relative !important;">app.post('/register', (req, res) => {let user = JSON.parse(req.body)if (!user.username|| !user.password) {return res.json({ msg: 'empty username or password', err: true })}if(users.filter(u => u.username == user.username).length) {return res.json({ msg: 'username already exists', err: true })}if (user.isAdmin && user.inviteCode !=INVITE_CODE) {user.isAdmin = falsereturn res.json({ msg: 'invalid invite code', err: true })}let newUser = Object.assign({}, baseUser, user)users.push(newUser)res.json({ msg: 'user created successfully', err: false })
})</pre>

json解析后，利用Object.assign()创建子类newUser，push进users

这里传入payload:"__proto__"{"isAdmin":true}造成原型链污染，生成的user用户拥有isAdmin=true [图片上传失败...(image-449d0f-1680183262990)]

WEB：Wife_wife

WEB：Wife_wife

CATCTF wife原型链污染

CATCTF wife原型链污染

CATCTF 2022 wife

推荐阅读更多精彩内容