I'm bug hunting on h1 and I've found a way to trigger an alert box using constructor.constructor() on a site using Angularjs, Nodejs and other JavaScript libraries and I am looking to truly understand what is going on here, but haven't found the exact piece of information.

The exact payload is

constructor.constructor('alert(1)')()

I have only found info talking about constructors as in the process of defining functions and classes but not as a "function" (not really sure what this is in this context). And I'm not sure if the context that triggers the alert box is one of the libraries in place or just because of JavaScript and the DOM.

Does anybody know what constructor.constructor()() is? And how does it work?

PS: The payload is also placed inside {{ }} but it is apparently just JavaScript and not an actual SSTI (7*7 is parsed by DOM but remains in source code)

CodePudding user response：

Object instances have a reference to their constructor function:

const o = {};
o.constructor === Object;

If you don't reference any object, you're executing the property in the global context off of the window instance, which is the same as window.constructor:

constructor /* or window.constructor */ === Window;

Window and Object are function instances, because functions are also objects in JavaScript which means that the constructor is Function

constructor.constructor /* or Window.constructor */ === Function;

The Function function can be used to create a function instance using the string input as the function body—similar to eval—so in your example of passing in 'alert(1)' the result is a function that calls alert(1) when executed:

Function('alert(1)');
// is the same as
function () {
  alert(1);
}

And finally the last parentheses execute the function without any parameters, which is why you see the alert displayed with a 1.