NodeJS Deserialization for beginners eli5

Deserialization vulnerabilities exist in most languages, frameworks, and platforms, and in this post, we are going to give a brief and useful review of this vulnerability in NodeJS.

Deserialization in the NodeJS platform is easier to exploit than in other areas (my opinion + python).

If the input is given to the Unserialize function, this vulnerability occurs and even causes RCE or code execution on the server, but to increase the chances of exploitation, it is better to use the Immediately invoked function expression or IIFE technique.

Vulnerable code snippet:
Here I have prepared a vulnerability code to better understand:
More about this source text

Vulnerable code snippet:
Here I have prepared a vulnerable code to better understand:

Description of vulnerable code:
First it is checked whether the user already has a cookie called Token or not, if not there is a message saying “Reload the Page” that you should refresh the page:

And if you do not have a cookie, it will be set on your browser and you will see the following page:

If you pay attention to the above code, you will see that the set of tokens in the cookie space is decoded and then unserialized. The mentioned vulnerability occurs here that the data sent to this function can be controlled by the user and a security check on the server side is performed on it Did not.

The Token value after decoding Base64 is as follows:

Now as you can see this object is sent to the Unserialize function and then the property called username is read from inside it, now all we have to do is create a Malicious Object and then Serialize it, until after the application Vulnerable Unserialized, we can execute the desired code

Execute the above code snippet so that we can have the exploit code output:

But the high exploit has a problem and does not run, because the exploit code never runs, and the reason is that the function we defined and there is an operating system command, it never calls, and therefore the exploit does not run, and if the high exploit Encode Base64 and then send it, you will see the following page.

To run our exploit, we must use the Immediately invoked function expression (IIFE) technique:

The definition of this technique is that:

IIFE (Immediately Invoked Function Expression) is a JavaScript function that runs as soon as it is defined

To do this, just add parentheses to call the functions when defining the Object.

Now if we come and run the above code to get the result, that is, the exploit code to send, we will encounter the following output.

The reason why we do not see the exploited function object like last time is that unfortunately if we come and add parentheses, our code will be executed and we can no longer have the exploit code, to solve this problem it is enough to just come And run the previous exploit and add parentheses to the output ourselves.

Now if we put the above code Base64 Encode in the cookie and refresh the page, our code will be executed on the server side.

Now how can we upgrade this and get a Reverse Shell? here we go

I hope the article is useful and has been added to your knowledge.