CVE-2018-3786 PoC — egg-scripts 命令注入漏洞

Source

https://github.com/erik-krogh/egg-scripts-CVE-2018-3786

Associated Vulnerability

Title:egg-scripts 命令注入漏洞 (CVE-2018-3786)
Description:egg-scripts是一款用于部署egg项目的部署工具，它主要用于部署、运行和管理egg项目。 egg-scripts 2.8.1之前版本中存在命令注入漏洞。攻击者可借助恶意制作的命令行参数利用该漏洞执行任意的shell命令。

Description

A fork of an old version of egg-scripts

Readme

# egg-scripts

deploy tool for egg project.

**Note: Windows is partially supported, see [#22](https://github.com/eggjs/egg-scripts/pull/22)**

## Install

```bash
$ npm i egg-scripts --save
```

## Usage

Add `eggctl` to `package.json` scripts:

```json
{
  "scripts": {
    "start": "eggctl start --daemon",
    "stop": "eggctl stop"
  }
}
```

Then run as:

- `npm start`
- `npm stop`

**Note:** `egg-scripts` is not recommended to install global, you should install and use it as npm scripts.

## Command

### start

Start egg at prod mode.

```bash
$ eggctl start [options] [baseDir]
# Usage
# eggctl start --port=7001
# eggctl start ./server
```

- **Arguments**
  - `baseDir` - directory of application, default to `process.cwd()`.
- **Options**
  - `port` - listening port, default to `process.env.PORT`, if unset, egg will use `7001` as default.
  - `title` - process title description, use for kill grep, default to `egg-server-${APP_NAME}`.
  - `workers` - numbers of app workers, default to `process.env.EGG_WORKERS`, if unset, egg will use `os.cpus().length`  as default.
  - `daemon` - whether run at background daemon mode, don't use it if in docker mode.
  - `framework` - specify framework that can be absolute path or npm package, default to auto detect.
  - `env` - server env, default to `process.env.EGG_SERVER_ENV`, recommended to keep empty then use framwork default env.
  - `stdout` - customize stdout file, default to `$HOME/logs/master-stdout.log`.
  - `stderr` - customize stderr file, default to `$HOME/logs/master-stderr.log`.
  - `timeout` - the maximum timeout when app starts, default to 300s.
  - `ignore-stderr` - whether ignore stderr when app starts.
  - `sourcemap` / `typescript` / `ts` - provides source map support for stack traces.

### stop

Stop egg gracefull.

**Note:** if exec without `--title`, it will kill all egg process.

```bash
# stop egg
$ eggctl stop [--title=example]
```

- **Options**
  - `title` - process title description, use for kill grep.

File Snapshot


 [4.0K]  /data/pocs/e07b169760a8b7d1a63b392fe09360f40b28a8a8
├── [ 293]  appveyor.yml
├── [4.0K]  bin
│   └── [  91]  egg-scripts.js
├── [3.6K]  History.md
├── [ 471]  index.js
├── [4.0K]  lib
│   ├── [4.0K]  cmd
│   │   ├── [8.0K]  start.js
│   │   └── [3.1K]  stop.js
│   ├── [1.7K]  command.js
│   ├── [1.1K]  helper.js
│   └── [ 131]  start-cluster
├── [1.5K]  package.json
├── [2.0K]  README.md
└── [4.0K]  test
    ├── [ 354]  egg-scripts.test.js
    ├── [4.0K]  fixtures
    │   ├── [4.0K]  cluster-config
    │   │   ├── [4.0K]  app
    │   │   │   └── [ 136]  router.js
    │   │   ├── [4.0K]  config
    │   │   │   ├── [ 104]  config.default.js
    │   │   │   └── [  71]  config.prod.js
    │   │   └── [  91]  package.json
    │   ├── [4.0K]  custom-node-dir
    │   │   ├── [4.0K]  app
    │   │   │   └── [ 123]  router.js
    │   │   ├── [4.0K]  config
    │   │   │   └── [  40]  config.default.js
    │   │   └── [  91]  package.json
    │   ├── [4.0K]  egg-app
    │   │   ├── [4.0K]  config
    │   │   │   └── [ 104]  config.default.js
    │   │   ├── [4.0K]  node_modules
    │   │   │   └── [4.0K]  egg
    │   │   │       ├── [  76]  index.js
    │   │   │       └── [  42]  package.json
    │   │   └── [  69]  package.json
    │   ├── [4.0K]  example
    │   │   ├── [4.0K]  app
    │   │   │   └── [ 307]  router.js
    │   │   ├── [4.0K]  config
    │   │   │   ├── [ 104]  config.default.js
    │   │   │   └── [  35]  config.pre.js
    │   │   ├── [4.0K]  node_modules
    │   │   │   ├── [4.0K]  custom-framework
    │   │   │   │   ├── [ 614]  index.js
    │   │   │   │   └── [  94]  package.json
    │   │   │   └── [4.0K]  yadan
    │   │   │       ├── [4.0K]  config
    │   │   │       │   └── [  44]  config.default.js
    │   │   │       ├── [ 254]  index.js
    │   │   │       └── [  83]  package.json
    │   │   └── [ 143]  package.json
    │   ├── [4.0K]  status
    │   │   ├── [ 251]  app.js
    │   │   ├── [4.0K]  config
    │   │   │   └── [ 104]  config.default.js
    │   │   ├── [4.0K]  node_modules
    │   │   │   └── [4.0K]  custom-framework
    │   │   │       ├── [ 614]  index.js
    │   │   │       └── [  94]  package.json
    │   │   └── [ 143]  package.json
    │   ├── [4.0K]  subdir-as-basedir
    │   │   ├── [4.0K]  base-dir
    │   │   │   ├── [4.0K]  app
    │   │   │   │   └── [ 307]  router.js
    │   │   │   ├── [4.0K]  config
    │   │   │   │   └── [  40]  config.default.js
    │   │   │   └── [  24]  package.json
    │   │   └── [  33]  package.json
    │   ├── [4.0K]  ts
    │   │   ├── [4.0K]  app
    │   │   │   ├── [4.0K]  controller
    │   │   │   │   └── [ 307]  home.ts
    │   │   │   └── [ 124]  router.js
    │   │   ├── [4.0K]  config
    │   │   │   └── [  40]  config.default.js
    │   │   ├── [ 221]  package.json
    │   │   └── [ 695]  tsconfig.json
    │   └── [4.0K]  ts-pkg
    │       ├── [4.0K]  app
    │       │   ├── [4.0K]  controller
    │       │   │   └── [ 307]  home.ts
    │       │   └── [ 124]  router.js
    │       ├── [4.0K]  config
    │       │   └── [  40]  config.default.js
    │       ├── [ 264]  package.json
    │       └── [ 695]  tsconfig.json
    ├── [ 17K]  start.test.js
    ├── [9.7K]  stop.test.js
    ├── [3.8K]  ts.test.js
    └── [1.2K]  utils.js

38 directories, 55 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!