CVE-2022-24999 PoC — qs 安全漏洞

Source

https://github.com/n8tz/CVE-2022-24999

Associated Vulnerability

Title:qs 安全漏洞 (CVE-2022-24999)
Description:ljharb qs是美国Jordan Harband个人开发者的一个具有嵌套支持的查询字符串解析器。 qs 6.10.3 之前版本存在安全漏洞，该漏洞源于parse忽略__proto__键，攻击者利用该漏洞可以将攻击载荷放在用于访问应用程序的 URL 的查询字符串中。

Description

"qs" prototype poisoning vulnerability ( CVE-2022-24999 )

File Snapshot


 [4.0K]  /data/pocs/b94a48f078fd58c0d101bf3beca6d763ed355297
├── [4.0K]  express-qs-array-bomb
│   ├── [ 500]  package.json
│   ├── [ 35K]  package-lock.json
│   ├── [  29]  payload.test.txt
│   ├── [  72]  payload.txt
│   ├── [1.8K]  poc.js
│   └── [4.0K]  test
│       ├── [1.0K]  get.js
│       └── [1.0K]  post.js
├── [4.0K]  express-qs-string-bomb
│   ├── [ 473]  package.json
│   ├── [ 35K]  package-lock.json
│   ├── [  17]  payload.test.txt
│   ├── [  72]  payload.txt
│   ├── [1.5K]  poc.js
│   └── [4.0K]  test
│       ├── [1.0K]  get.js
│       └── [1.0K]  post.js
├── [4.0K]  qs-vulns
│   ├── [ 997]  arrayBomb.js
│   ├── [1004]  arrayWithJson.js
│   ├── [ 403]  badBoolean.js
│   ├── [ 799]  ghostValues.js
│   ├── [ 404]  package.json
│   ├── [5.9K]  package-lock.json
│   ├── [ 351]  readme.md
│   └── [ 808]  stringBomb.js
└── [1.9K]  readme.md

5 directories, 23 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!