crash.software
Projects
Pull Requests
Issues
Builds
NafisiAslH-KnowledgeSharing
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY NafisiAslH-KnowledgeSharing Files
🤬
f46b5405
ROOT /
CyberSecurity /
Web /
BountyStory /
DependencyConfusion /
20220517 - REC via Dependecy Confusion.md
42 lines | UTF-8 | 1 KB

How I get RCE via Dependency Confusion 💎

1. Introduction

Team gave mobile app and website.
We didn’t waste of time on mobile app and decided to work on website.
We just tried to find Admin Panel because main domain was just a single page to download the app.
 

2. Recon 🔦

I started with some Shodan recon and I found a IP that belongs to TARGET.
Using directory brute forcing tools like Dirsearch and FFUF, I found a package.json file contained all the packages which was installed in the server.
URL: /ui/package.json img img
 

3. Dependency Confusion 💡

Using tool called Confused, I found that “spr-svg-loaders” package was not in npm public repository.
You can verify the same by going to npm website and searching for the package name. img img
 

4. I am Evil 😈

Create a malicious package with the package name and upload it to public npm repository.
After publishing the package we can verify it with npm repository.
The full procedure for uploading the package can be found in this blog.
img
 

5. Bounty Time 💵

Within few hours of uploading the packages, I received ping-back with few data like hostname, directory, ipaddress, username to my interact.sh server.
 

Credit

Based on Sm4rty's write-up.
 

Support

You can Follow me on twitter or buy me a Coffee

Please wait...
Page is in error, reload to recover