Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-29078 PoC — Github ejs 代码注入漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-29078.yaml
Associated Vulnerability
Title:Github ejs 代码注入漏洞 (CVE-2022-29078)
Description:Github ejs是嵌入式 JavaScript 模板。 ejs 3.1.6 版本存在代码注入漏洞,该漏洞源于 settings[view options][outputFunctionName] 中可以进行服务器端模板注入。 这被解析为内部选项,并使用任意 OS 命令(在模板编译时执行)覆盖 outputFunctionName 选项。
Description
Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settings[view options][outputFunctionName], which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation.
File Snapshot

 id: CVE-2022-29078

info:
  name: Node.js Embedded JavaScript 3.1.6 - Template Injection
  author: F

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.