Saturday, 2 May 2015



Introduction

Node.JS is a Cross Platform and Runtime Environment Where one can execute javascript code, outside the Web Browser. Node.JS is Very helpful but it has a couple of Killing features which make it very dangerous and hazardous for a web application. In this tutorial we are going to discuss one of them, Command Execution in Node.JS, You Folks must know what is Command Execution but just to be sure I’d like to tell you, Command Execution Vulnerabilities Allow an Attacker to run arbitrary Commands on a System through the Vulnerable Environment. I guess its enough for introcution.

Vulnerable Code

Here is vulnerable code which demonstrates the vulnerability in node js.

Node JS Command Execution Pentesting


I’ll simply give the overview about where exactly its getting hectic. We are using exec function from child_process library, and executing parsedUrl.query.command, that is not getting filtered. Hence an attacker can execute any arbitrary commdn in order to hack into system. Let’s Save it and run it. Here is my script running.

Node JS Command Execution Pentesting



Code is working without any error, let’s try to visit the url 127.0.0.1:8888 in browser as it is listening on port 8888.


Node JS Command Execution Pentesting


Whoa, we got it working. Now its time to do some evil stuff. Let’s try to execute systeminfo, PING & Some other commands , that displays information about a computer.
#fig1

Node JS Command Execution Pentesting

#fig2

Node JS Command Execution Pentesting

#fig3

Node JS Command Execution Pentesting


Okay fine, as it is clear from the above POC that its working exactly fine. In this context a developer must be careful while working with Node.JS files as its kinda more hectic and Evil than other languages.

About the Author


Muhammad Adeel is a Security researcher & Founder at Whitehat Conference Pakistan, he Blogs at http://urdusecurity.blogspot.com

Node JS & Command Execution

  • Uploaded by: Unknown
  • Views:
  • Share

    4 comments:

    1. It’s a very informative and helpful article, thank you for sharing!


      melbourne seo services

      ReplyDelete
    2. I read this article. I think You put a lot of effort to create this article. I appreciate your work.
      thesis Writing Service

      ReplyDelete
    3. Way cool! Some very valid points! I appreciate you penning this article and also the rest of the site is really good. How to hack facebook account on android , How to Hack Facebook Account Spot on with this write-up, I truly believe that this amazing site needs much more attention. I’ll probably be returning to read through more, thanks for the information! How to hack facebook account without survey How To Hack Facebook Using Kali Linux Everything is very open with a precise clarification of the challenges. It was really informative. Your site is extremely helpful. Many thanks for sharing! How to hack Facebook messages 

      ReplyDelete
    4. CLASSIC CYBER HACKS
      How well are you prepared for a Cyber incident or Breach?, Is your Data safe?
      Strengthen your Cybersecurity stance by contacting CLASSIC CYBER NOTCH @ GMAIL DOT COM for a Perfect, Unique, Classic and Professional Job in Securing your Network against all sort of breaches and from scammers as well.
      For we are Specially equipped with the Best hands to getting your Cyber Hack needs met as your jobs will be handled with utmost professionalism.

      We do All type of cyber Jobs such as:
      ☑ TRACKING of GPS location, cars, Computers, Phones (Apple, windows and Android), e.t.c.
      We also Track
      E-MAIL account,(G-mail, Yahoo mail, AOL, Proton mail, etc.)
      SOCIAL MEDIA account, (Facebook, Twitter, Skype, Whatsapp, e.t.c.)

      ☑ RECOVERY of Passwords for E-mail address, Phones, Computers, Social media Accounts, Documents e.t.c

      ☑ INSTALLATION of Spy ware so as to spy into someone else's computer, phone or E-mail address and also Installation of Spy ware software on your individual O.S so as to detect intrusion of any type.
      We also Create and Install VIRUS into any desired computer gadget.

      ☑ CRACKING Websites, any desired gadget it computers or phones, CCTV Survelance camera, Data base (of both Private and Govt organization, such as Schools, Hospitals, Court houses, The FBI, NSA) e.t.c....

      NOTE:
      Other Jobs we do are:
      ☑ We provide Private Investigator service
      ☑ Clearing Criminal records of diverse type
      ☑ Binary Options fraud Recovery
      ☑ Bitcoin Mining
      ☑ Issuing of Blank ATM cards
      ☑ And many more... etc.

      We assure you that your Job will be attended to with care and efficiency as it will be handled by the Best professional hands in Cyber literacy.
      We also have a forum where you can get yourself equipped with Advanced hacking Knowledge..

      CLASSIC CYBER HACKS gives you the Best service in the Hacking world as our Success rate is Top Notch

      Be sure to 📱 💻 us via E-mail @

      Classic cyber notch at gmail dot com

      any time, any day to get the Best Professional hands involved in putting a smile on your face.
      We're Classic Hacks

      Signed,
      Collins .A.

      ReplyDelete

     
    Copyright © HACK | Designed by Muhammad Adeel | Founder UrduSecurity