NodeJS-CI-Vulnerability
In this part we will disccus about Command Injection Vulnerability inside NodeJS Code and How we can fix it
The Target application is i’ve uploaded called “app.js” and let’s start with first step reviewing the code…
The Part 1
So in the code below
we see that the application use exec to execute The child_process so what is it?
child_process module provides the ability to spawn subprocesses in a manner that is similar, but not identical, to popen(3). This capability is primarily provided by the spawn function:
let’s say something like this code below:
const { spawn } = require('child_process');
const ls = spawn('ls', ['-lh', '/usr']);
ls.stdout.on('data', (data) => {
console.log(`stdout: ${data}`);
});
ls.stderr.on('data', (data) => {
console.error(`stderr: ${data}`);
});
ls.on('close', (code) => {
console.log(`child process exited with code ${code}`);
});
So Here we have a command injection, it means that the cmd “ls” is execute by default and -lh, /usr so we can see the list of the folders only but the way we can bypass that it’s so easy for example i can run like= ; whoami ==> this will show me the user name that app is run on it.!!
we can do more and more we can open a listener and run a reverse shell bash script and gain access to the server/APPLICATION
The Part 2
Using the same bug with no validation process
How we can Fix That??
we can you “execFile” instead of “exec” like in the image below
