Skip to content
/ RCE-NodeJs Public

Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2), Version: 0.0.4, CVE: CVE-2017-5941

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

f41k0n/RCE-NodeJs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
exploit.js
exploit.js
 
 
exploit.py
exploit.py
 
 

Repository files navigation

node-serialize — CVE-2017-5941

Eslatma: Bu hujjat faqat mudofaa va taʼlimiy maqsadlarda. Eksploitlar yoki RCE yaratish bo‘yicha ko‘rsatma mavjud emas.

Xulosa: node-serialize (0.0.4 va o‘xshash eskirgan versiyalar) noishonlangan deserializatsiya tufayli xavf tug‘dirishi mumkin — kiruvchi maʼlumotni unserialize() qilishdan oldin har doim tekshiring.

Aniqlash: kodda serialize.unserialize() yoki node-serialize borligini qidiring. Dekodlangan base64 cookie/parametrlarni _$$ND_FUNC$$_, function( yoki eval( uchun tekshiring.

Bartaraf etish (tez):

  • node-serialize dan voz keching; JSON.parse/JSON.stringify ishlating.
  • Kiruvchi maʼlumotni qatʼiy schema bilan validatsiya qiling (ajv/joi).
  • eval va dinamik kod ijrosini olib tashlang.
  • Node jarayonini kam huquq bilan ishga tushiring va tarmoqli egressni cheklang.

Sinov (harmless): faqat benign base64-JSON yuboring (hech qanday funksiyalar yoki shell-komandalar yo‘q) — faqat ruxsat bilan test qiling.

Kontakt / Qo‘shimcha: kerak bo‘lsa CI skript, Express middleware yoki incident-playbook qismini tayyorlab beraman.

About

Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2), Version: 0.0.4, CVE: CVE-2017-5941

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages