You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ant.apache.org by bu...@apache.org on 2014/12/08 14:51:16 UTC
[Bug 57329] New: Bypass execute command line by Js Node
https://issues.apache.org/bugzilla/show_bug.cgi?id=57329
Bug ID: 57329
Summary: Bypass execute command line by Js Node
Product: Ant
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Other
Assignee: notifications@ant.apache.org
Reporter: is4curity@gmail.com
hi guys how are you
we can bypass security on server and bypass disable functions by Js Node and
apache
first must test node work on server ot not
by
node -v
or use
var sys = require('sys')
var exec = require('child_process').exec;
function puts(error, stdout, stderr) {sys.puts(stdout)}
exec("ln -s /etc/passwd r3m0t3nu11.txt", puts);
http://i61.tinypic.com/10h2e7t.png
ok it work good now
we used child_processes
http://i62.tinypic.com/5yhtlu.png
make commands
http://i62.tinypic.com/rc37yv.png
http://i62.tinypic.com/33udb2p.png
http://i61.tinypic.com/1ze8c2t.png
terminal result
http://i61.tinypic.com/33tl7ao.png
http://i62.tinypic.com/kf4ops.png
ok now we know we can execute command on linux by node we tested it in our
terminal it work good
now how we can use it in servers :] <<< by apache 0_o
will read JS NODE through CGI Language
will runing node from CGI LANGUAGE
and read JS NODE through CGI Language
first make htaccess file Node definition file for Apache
Action "node-script" "/cgi-bin/node-cgi"
AddHandler "node-script" ".ns"
http://i62.tinypic.com/29x85xx.png
or
Options +ExecCGI
AddHandler cgi-script .js
http://i57.tinypic.com/2v85vsg.png
and write sample code in node like that
#!/usr/local/bin/node
var sys=require("sys");
sys.puts("Content-type: text/html\n");
sys.puts("R3m0t3nu11 1s h3r3~!<br/>\n");
var argstr="";
for(var i in process.env){
argstr+=i+": " + process.env[i] + "<br/>\n";
}
sys.puts("args: "+ argstr +"<br/>\n");
http://i61.tinypic.com/2dac55f.png
chmod folder and file 0755
http://i61.tinypic.com/11hh4yb.png
see we can read result from node by browser
http://i59.tinypic.com/nn0dw8.png
also we can bypass symlink and read eny file from ather user in server
open port to read result
for example this code
var sys = require("sys"),
http = require("http");
http.createServer(function(request, response) {
response.sendHeader(200, {"Content-Type": "text/html"});
response.write("R3m0t3nu11~!");
response.close();
}).listen(8084);
sys.puts("Server running at http://localhost:8084/");
http://i57.tinypic.com/w7ygw8.png
http://i62.tinypic.com/7nuq.png
see result
http://i57.tinypic.com/31329le.png
Sorry about my bad english hope you guys can understand:-) :D
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 57329] Bypass execute command line by Js Node
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57329
Jan Mat <ja...@materne.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Jan Mat <ja...@materne.de> ---
Development of NodeJS in on Github
http://nodejs.org/
https://github.com/joyent/node/issues
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 57329] Bypass execute command line by Js Node
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57329
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Other |mod_cgi
Version|unspecified |2.4.10
Assignee|notifications@ant.apache.or |bugs@httpd.apache.org
|g |
Product|Ant |Apache httpd-2
--- Comment #2 from Eric Covener <co...@gmail.com> ---
Changing to product to httpd for posterity.
There's no vulnerability described here, once you enable CGI and create a
script you can do whatever the system allows you.
* Bugzilla is for reporting defects, not discussion or blogging your personal
journey through learning CGI.
* Genuine security issues should be reported directly to security@apache.org
--
You are receiving this mail because:
You are the assignee for the bug.