https://blog.keenan.top/2020/07/04/v8-exploit-basics/
d8的shell支持的命令
源码
// Creates a new execution environment containing the built-in
// functions.
v8::Local<v8::Context> CreateShellContext(v8::Isolate* isolate) {
// Create a template for the global object.
v8::Local<v8::ObjectTemplate> global = v8::ObjectTemplate::New(isolate);
// Bind the global 'print' function to the C++ Print callback.
global->Set(isolate, "print", v8::FunctionTemplate::New(isolate, Print));
// Bind the global 'read' function to the C++ Read callback.
global->Set(isolate, "read", v8::FunctionTemplate::New(isolate, Read));
// Bind the global 'load' function to the C++ Load callback.
global->Set(isolate, "load", v8::FunctionTemplate::New(isolate, Load));
// Bind the 'quit' function
global->Set(isolate, "quit", v8::FunctionTemplate::New(isolate, Quit));
// Bind the 'version' function
global->Set(isolate, "version", v8::FunctionTemplate::New(isolate, Version));
return v8::Context::New(isolate, NULL, global);
}
通过read读文件
d8> read('flag.txt');
通过import泄露文件
d8> import('flag.txt');
通过绝对路径可能会报错,用相对路径就可以了
('../../../../../../flag.txt')
通过load泄露文件
d8> load();
d8> load('flag.txt');
网友评论