And when i check the package.json, I could know to use ejs 3.1.6 version. Already many researcher know about how to trigger an RCE in ejs environment. When the ejs parser is working, it make a javascript code as dynamic and then execute it. At the time, there are some gadgets. this gadget is outputFunctionName and destructuredLocals.
While making javascript code, it use after get a value in opts object. But, Normally If you want to pollute a value of opts.outputFunctionName, A Prototype Pollution vulnerability must exist. But there is no.
I found that using the utils.shallowCopy() method in the EJS code to overwrite the value of data.settings.view.options with the properties of the opts object.
app.listen(PORT, (err) => { console.log(`Server is Running on Port ${PORT}`); });
This is the challenge code. It was found that the value of the cookie was taken, divided by “.”, and the values of the header, body, and signature of JWT were put into an object called rawJwt. However, we cannot insert Object because all values are converted back to strings after the strings are converted to JSON type.
Anyway, I could know that the rawJwt object is created and passed as the second argument to the render() method.
1 2 3 4 5 6 7 8 9 10 11 12 13
exports.render = function (template, d, o) { var data = d || {}; var opts = o || {};
// No options object -- if there are optiony names // in the data, copy them to options if (arguments.length == 2) { utils.shallowCopyFromList(opts, data, _OPTS_PASSABLE_WITH_DATA); }
functionJSONCookies (obj) { var cookies = Object.keys(obj) console.log(cookies) var key var val console.log(cookies) for (var i = 0; i < cookies.length; i++) { key = cookies[i] val = JSONCookie(obj[key])
if (val) { obj[key] = val } } return obj } // https://github.com/expressjs/cookie-parser/blob/master/index.js#L83L118
We generally cannot insert object data into rawJwt objects. However, as a result of analyzing the code of the cookie-parser module, I was able to find out the JsonCookie () function. The JsonCookie () function converts the argument value to JSON in the try statement if it starts with j: when the value of the argument is an object.