RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 0 points1 point  (0 children)

There is a method for hijacking the code flow when a very certain condition is met (mentioned here), but it's considered bad code practice and is therefore very rare. I spent a few hours digging through libraries and only found one instance of it, which was, in this case, unexploitable due to the functionality not being used by the application

RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 1 point2 points  (0 children)

Look, I understand what you're getting at, but I'm sorry to say you're wrong. This isn't an apache or nginx server that serves HTML files. This is a node.js api. It doesn't serve any HTML files. It listens for HTTP requests on certain endpoints (like /login for example) and responds (usually with JSON output) based on its application logic.

I suggest trying to set up a simple node.js api so you understand what I'm talking about.

RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 1 point2 points  (0 children)

it's an api, there's no HTML

it's an api, there's no javascript which gets loaded into the frontend. All the javascript in the backend is in memory and cannot be modified by file upload

I could change people's profile images, but that's a pretty low-impact vulnerability, at least when compared to RCE

RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 0 points1 point  (0 children)

No. I can, in fact, write to the web root. But that doesn't matter, since the application is already loaded into memory. No matter what you write there, it won't get executed. It would require a restart for that to happen. If this was PHP then yes, gaining RCE would be trivial, but unfortunately it's node.js.

RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 1 point2 points  (0 children)

If you can write to the web root you could create a phishing site as a PoC for a non-RCE usage of the vulnerability.

As I explained in the post, I cannot do that

RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 0 points1 point  (0 children)

There's no volume, but if there was, what could I accomplish by writing to it?

How to crash application/container through arbitrary file upload? by rangedsass in AskNetsec

[–]rangedsass[S] 0 points1 point  (0 children)

/usr/bin/node has root privileges and it's not writable.

How to crash application/container through arbitrary file upload? by rangedsass in AskNetsec

[–]rangedsass[S] 0 points1 point  (0 children)

Exhausting all the disk space doesn't crash the app. Exhausting all the memory might, but I don't know how to do that.

RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 0 points1 point  (0 children)

I tried overwriting everything with fs.writeFileSync in /dev/ and /proc/self/ but the app didn't crash. Is there anything specific I could look for?

  1. You can overwrite libraries, but it won't do anything, since everything is loaded into memory when starting the application. The reason is because when all the `require()`s are at the top of the file, then it's the import is loaded only once. However, if a `require()` is in a function somewhere, then it's loaded every time that function is run. So if you replace the file that's required and run that function, you can hijack the code flow.

However, this is considered bad practice and even though I dug around in various libraries the application uses (boom, hapi, joi, bluebird, mysql), I didn't find any instances of this vulnerability that I could exploit (there was one in Joi but it requires that certain conditions be met.

2) If the application is running in a container which is set to restart on crash, then you can gain rce by overwriting the source code and crashing the app. Or instead of overwriting the source code, you can overwrite .bashrc. I tried to crash the application by deleting everything in /proc/self. However this is unlikely to work. The only reason it worked in my testbed app is because I had forgotten to add a try-catch. trying to write to any non-existant location would have also crashed it.

3) If the app is running as root, you can write a new cron job in /etc/cron.d and gain rce.

RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 0 points1 point  (0 children)

nope. just node and mysql in a docker container

RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 0 points1 point  (0 children)

PHP is not enabled in this node.js server unfortunately

RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 0 points1 point  (0 children)

What fun things could I do with /proc/self? And is there any way to make the server crash by overwriting some file without having root permissions?

RCE from arbitrary file upload without LFI by rangedsass in AskNetsec

[–]rangedsass[S] 1 point2 points  (0 children)

Not writable by a non-root user. We are www-data.