Skip to content

Instantly share code, notes, and snippets.

@alejandrolechuga

alejandrolechuga/sandbox.js

Last active July 16, 2022 17:36
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save alejandrolechuga/9381781 to your computer and use it in GitHub Desktop.
Save alejandrolechuga/9381781 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sandbox.js
function construct(constructor, args) {
function F() {
return constructor.apply(this, args);
}
F.prototype = constructor.prototype;
return new F();
}
// Sanboxer
function sandboxcode(string, inject) {
"use strict";
var globals = ["Function"];
for (var i in window) {
// <--REMOVE THIS CONDITION
if (i != "console")
// REMOVE THIS CONDITION -->
globals.push(i);
}
// The strict mode prevents access to the global object through an anonymous function (function(){return this;}()));
globals.push('"use strict";\n'+string);
return construct(Function, globals).apply(inject ? inject : {});
}
sandboxcode('console.log( this, window, top , self, parent, this["jQuery"], (function(){return this;}()));');
// => Object {} undefined undefined undefined undefined undefined undefined
console.log("return of this", sandboxcode('return this;', {window:"sanboxed code"}));
// => Object {window: "sanboxed code"}
/*
this generates an anonymous function like this
function anonymous(top,window,location,external,chrome,document,bencode,bendecode,fileinput,handleFile,data,construct,sandboxcode,speechSynthesis,webkitNotifications,localStorage,sessionStorage,applicationCache,webkitStorageInfo,indexedDB,webkitIndexedDB,crypto,CSS,performance,devicePixelRatio,styleMedia,parent,opener,frames,self,defaultstatus,defaultStatus,status,name,length,closed,pageYOffset,pageXOffset,scrollY,scrollX,screenTop,screenLeft,screenY,screenX,innerWidth,innerHeight,outerWidth,outerHeight,offscreenBuffering,frameElement,clientInformation,navigator,toolbar,statusbar,scrollbars,personalbar,menubar,locationbar,history,screen,postMessage,close,blur,focus,ondeviceorientation,ondevicemotion,onunload,onstorage,onresize,onpopstate,onpageshow,onpagehide,ononline,onoffline,onmessage,onhashchange,onbeforeunload,onwaiting,onvolumechange,ontimeupdate,onsuspend,onsubmit,onstalled,onshow,onselect,onseeking,onseeked,onscroll,onreset,onratechange,onprogress,onplaying,onplay,onpause,onmousewheel,onmouseup,onmouseover,onmouseout,onmousemove,onmouseleave,onmouseenter,onmousedown,onloadstart,onloadedmetadata,onloadeddata,onload,onkeyup,onkeypress,onkeydown,oninvalid,oninput,onfocus,onerror,onended,onemptied,ondurationchange,ondrop,ondragstart,ondragover,ondragleave,ondragenter,ondragend,ondrag,ondblclick,oncuechange,oncontextmenu,onclose,onclick,onchange,oncanplaythrough,oncanplay,oncancel,onblur,onabort,onwheel,onwebkittransitionend,onwebkitanimationstart,onwebkitanimationiteration,onwebkitanimationend,ontransitionend,onsearch,getSelection,print,stop,open,showModalDialog,alert,confirm,prompt,find,scrollBy,scrollTo,scroll,moveBy,moveTo,resizeBy,resizeTo,matchMedia,requestAnimationFrame,cancelAnimationFrame,webkitRequestAnimationFrame,webkitCancelAnimationFrame,webkitCancelRequestAnimationFrame,captureEvents,releaseEvents,atob,btoa,setTimeout,clearTimeout,setInterval,clearInterval,TEMPORARY,PERSISTENT,getComputedStyle,getMatchedCSSRules,webkitConvertPointFromPageToNode,webkitConvertPointFromNodeToPage,webkitRequestFileSystem,webkitResolveLocalFileSystemURL,openDatabase,addEventListener,removeEventListener,dispatchEvent
) {
"use strict";
return this;
} */
@akuankka128
Copy link

Browser

sandboxcode('var self=(function() {}).constructor("return this")(); self.alert("pwned @ " + self.document.domain)')

Node

sandboxcode('var self=(function() {}).constructor("return this")(); self.console.log("pwned @ " + process.pid)')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment