NodeJS v8 Debugger Command Injection

by do son · Published October 21, 2017 · Updated November 4, 2024

NodeJS Debugger Command Injection

/exploits/multi/misc/nodejs_v8_debugger.rb Metasploit module

This module uses the “evaluate” request type of the NodeJS V8 debugger protocol (version 1) to evaluate arbitrary JS and call out to other system commands. The port (default 5858) is not exposed non-locally in default configurations, but may be exposed either intentionally or via misconfiguration.

Find vulnerable host using shodan

Key: “Embedding-Host: node”

Key: v8-version node

NodeJS v8 Debugger Command Injection

Search

Brilliantly

Content & Links