Offensive and defensive world - leaking

Enter the environment and give a piece of code

On npm,vm, vm2, Node.js sandbox escape

This is a question about Node.js sandbox escapes.Where var { VM } = require("vm2"); is the library of the official Node.js security sandbox (it is the code related to the Node.js sandbox)

In earlier node versions (before 8.0), when the Buffer constructor passes in a number, it will get a Buffer with the same length as the number, and this Buffer is not cleared
After 8.0The version can get the unemptied memory through another function Buffer.allocUnsafe(size)

Lower versions of node can use buffer() to view the memory. As long as the variables that have been called will exist in the memory, then a payload can be constructed to read the memory.
The limit of req.query.data.length can be passed throughEnter array bypass

1. The title obtains a string of code through access, this code prompts to be executed in the sandbox.

2. Due to the isolation mechanism of the sandbox, functions of the operating system such as eval() cannot be executed.

3. To get the flag, you need to let eval() execute.Use the escape sandbox vulnerability to get the flag.

After reading other people's problem-solving ideas, through the script, I found the eval() function executed when the memory leaked, and got the flag.

import requestsimport timeurl = 'http://ip:port/?data=Buffer(500)'response = ''while 'flag' not in response:req = requests.get(url)response = req.textprint(req.status_code)time.sleep(0.1)if 'flag{' in response:print(response)break