0xma Cyber Security Articles

February 24, 2022

Node Cookie Deserialization Command Injection

In this tutorial, we will see how to inject malformed cookie to gain remote code execution on the target. The target is using the "node-serialize" module to deserialize the cookie. This page and this page contains more information about this vulnerability.

The web application is using this piece of code to deserialize the cookie.

Source code of the target web application. Source code of the target web application.

This shows the main page of the website. We are logged in to the web application.

Main page of the website.

This shows the cookie used to access the web page.

Cookie in the browser.

Let's refresh the page, capture it in Burp Intercept and right-click on it to send it to Burp Repeater.

Request capture in Burp Intercept.

Select the cookie and URL-decode it.

Decoding the cookie in Burp Repeater.

This shows the decoded cookie.

Decoded cookie value.

We can completely remove the cookie and then replace it with the payload. This works because the source code reveals that the payload will be checked before "user" and "sign". This payload pings our local machine.

RCE cookie payload.

Now we have to URL encode the semi-colon.

URL encoding the semi-colon character.

We can see that the ICMP packets from the target box are received which means code execution is possible and there is communication betweeen the hosts.

Capturing the ICMP packets.

This command Base64 encodes our Bash reverse shell.

Base64 encoding the Bash reverse shell.

Let's send the Base64 encoded payload through the Burp Repeater.

Send the Bash reverse shell through Burp Repeater.

We can see that the payload executed successfully and we get a reverse shell.

Reverse shell on the box.

However, we don't have to replace the cookie completely. We can modify the previous cookie by adding a new field with the payload in it.

Modifying the cookie to send a ping.

We can see that the command executed successfully and we were able to obtain a reverse shell.

Capturing the ICMP packet.

Replacing the cookie key "rce" with "0xma" doesn't make a difference. Because it is the payload that gets executed.

Sending a reverse shell payload.

Once again, we have been successful in obtaining a reverse shell.

Reverse shell on the box.

You can follow me on Twitter mujtabareads.