Can analyzing javascript files lead to remote code execution?

Finding the endpoint:

Analyze first file (xproupload.js):

  • folder → The directory that I will upload to.
  • thefile → the parameter that will have our file name and its content.
  • currentFilter → just an empty string, also from later analyses, there is no need for it.
  • getRS → the returned value from getAKrs function, we still didn’t know what is it, also there are no functions in this file with the same name, so I will search in other javascript files later.
  • akap → in javascript, the value !0 means “true”.

Analyze second file (xprofile.js):

  • _fileHandler filemgn.ashx
  • _rsHandler fileUtility.ashx
  • fn → and it takes the “rename_file string value.
  • getRS → the returned value from getAKrs function.
  • akap → as mentioned above, it is just a “true” value.
  • param → takes the value of the “t” variable, which was declared as an array in line 131, and was assigned with three values in line 132.
  • The 1st param[] was the directory that contained the file we want to rename.
  • The 2nd was for the new name.
  • The 3rd was for the current file name.

Report Timeline:

Digging More:

  • If the last 4 characters on the filename are “.zip
  • The value of the extract request parameter.




Computer Engineering Student | Bug Hunter | CTF Player | AKA Melotover

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

JavaScript: What Features Were Released In 2020?

Using Avalara’s AvaTax with Stripe Subscriptions

JS411 — Week 5 Blog

Serverless Approximate Nearest Neighbors on AWS Lambda with Annoy and Chalice

Optimistic UI: how to make React reducers be less suck


Advantages of React JS: critical reasons for choosing React JS.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Asem Eleraky

Asem Eleraky

Computer Engineering Student | Bug Hunter | CTF Player | AKA Melotover

More from Medium

The Underrated Bugs, Clickjacking, CSS Injection, Drag-Drop XSS, Cookie Bomb, Login+Logout CSRF…

RCE via Dependency Confusion

Click for it

How We hacked (bypassed) Admin Panel just by Js file