Can analyzing javascript files lead to remote code execution?

Finding the endpoint:

After a few hours of playing around with the application, I found a subdomain that gives me a message “Taking a Short Break” which means it’s a good sign to start fuzzing directories.

Analyze first file (xproupload.js):

Starting with xproupload.js, I found this mess.

  • folder → The directory that I will upload to.
  • thefile → the parameter that will have our file name and its content.
  • currentFilter → just an empty string, also from later analyses, there is no need for it.
  • getRS → the returned value from getAKrs function, we still didn’t know what is it, also there are no functions in this file with the same name, so I will search in other javascript files later.
  • akap → in javascript, the value !0 means “true”.

Analyze second file (xprofile.js):

This file has many functions, so I’ll focus only on the important objects and functions as well.

  • _fileHandler filemgn.ashx
  • _rsHandler fileUtility.ashx
  • fn → and it takes the “rename_file string value.
  • getRS → the returned value from getAKrs function.
  • akap → as mentioned above, it is just a “true” value.
  • param → takes the value of the “t” variable, which was declared as an array in line 131, and was assigned with three values in line 132.
  • The 1st param[] was the directory that contained the file we want to rename.
  • The 2nd was for the new name.
  • The 3rd was for the current file name.

Report Timeline:

25 Mar: Submitted.
28 Mar: Triaged.
29 Mar: Bounty Rewarded.

Digging More:

I got interested to know what’s behind this code, especially the filtration implemented on the file extension. Hence, as we have the privilege to write commands on the server, I started to read this part of the code inside the fileUtility.aspx file.

  • If the last 4 characters on the filename are “.zip
  • The value of the extract request parameter.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Asem Eleraky

Asem Eleraky

Computer Engineering Student | Bug Hunter | CTF Player | AKA Melotover