V8中的非预期

https://blog.keenan.top/2020/07/04/v8-exploit-basics/

d8的shell支持的命令
源码

// Creates a new execution environment containing the built-in
// functions.
v8::Local CreateShellContext(v8::Isolate* isolate) {
  // Create a template for the global object.
  v8::Local global = v8::ObjectTemplate::New(isolate);
  // Bind the global 'print' function to the C++ Print callback.
  global->Set(isolate, "print", v8::FunctionTemplate::New(isolate, Print));
  // Bind the global 'read' function to the C++ Read callback.
  global->Set(isolate, "read", v8::FunctionTemplate::New(isolate, Read));
  // Bind the global 'load' function to the C++ Load callback.
  global->Set(isolate, "load", v8::FunctionTemplate::New(isolate, Load));
  // Bind the 'quit' function
  global->Set(isolate, "quit", v8::FunctionTemplate::New(isolate, Quit));
  // Bind the 'version' function
  global->Set(isolate, "version", v8::FunctionTemplate::New(isolate, Version));
  return v8::Context::New(isolate, NULL, global);
}

通过read读文件

d8> read('flag.txt');

通过import泄露文件

d8> import('flag.txt');

通过绝对路径可能会报错,用相对路径就可以了 ('../../../../../../flag.txt')

通过load泄露文件

d8> load();
d8> load('flag.txt');

你可能感兴趣的:(V8中的非预期)