We covered command injection and execution in Node JS. The scenario included an input box that passes user input as numbers to a calculator function which uses an EVAL() function to calculate and return the output of the arithmatic operation to the user. The EVAL() function along with the calculator don’t implement any sort of input validation which allowed us to use and call Node JS methods such as readdirsync() & readfilesync() to read sensitive files. This was part of HackTheBox JSCalc web challenge.
The Complete Practical Web Application Penetration Testing Course
Video Highlights
To learn more about the active Node.js process, use the global object process. Require() is not needed because it is global. It offers a plethora of helpful features and techniques to gain more command over system interactions.
For instance, the Node.js process’s current working directory is returned by process.cwd(). I used our program to test this, and I received the results. didn’t activate Burp. I only needed to use the browser console to examine the payload and see the answer.
Reading data from a flag.txt file on the server was the aim of the challenge. The Node.js fs module, which needs to be required with require(‘fs’), can help do this. There are synchronous and asynchronous versions of every method. Working with the file system is made possible (accessing, managing and modifying files, etc.). It includes a wide range of techniques and attributes. The directory’s contents can be listed using the readdir() or readdirSync() (synchronous version) method of the fs class, which functions similarly to the ls or dir commands on Linux and Microsoft Windows, respectively.
We used the below payload to solve the challenge
require(‘fs’).readdirSync(‘/app’).toString()
require(‘fs’).readdirSync(‘../’).toString()
require(‘fs’).readFileSync(“/flag.txt”).toString()