-
-
Notifications
You must be signed in to change notification settings - Fork 87
Expand file tree
/
Copy pathjsonpath.html
More file actions
91 lines (84 loc) · 5.21 KB
/
Copy pathjsonpath.html
File metadata and controls
91 lines (84 loc) · 5.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>JSONPath-Plus RCE - SCAGoat</title>
<link href="https://cdn.jsdelivr.net/npm/tailwindcss@2.2.19/dist/tailwind.min.css" rel="stylesheet">
<link href="../static/css/style.css" rel="stylesheet">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css">
</head>
<body>
<div id="particles-js"></div>
<nav class="navbar">
<a href="/"><i class="fas fa-home"></i> Home</a>
<a href="/markdown"><i class="fas fa-file-alt"></i> Markdown</a>
<a href="/checkip"><i class="fas fa-search"></i> Checkip</a>
<a href="/trimnewlines"><i class="fas fa-cut"></i> Trim-Newlines</a>
<a href="/jsonpath" class="active"><i class="fas fa-code"></i> JSONPath-Plus</a>
<a href="/chat-ui"><i class="fas fa-comment"></i> Chat</a>
<a href="http://localhost:8080" target="_blank"><i class="fas fa-server"></i> Backend</a>
</nav>
<div class="container mx-auto px-4 py-8">
<h1 class="text-3xl font-bold text-white text-center mb-8">JSONPath-Plus Remote Code Execution</h1>
<div class="max-w-3xl mx-auto bg-gray-800 bg-opacity-80 p-6 rounded-lg shadow-md mb-8">
<div class="mb-6 text-white">
<h2 class="text-xl font-bold mb-2"><i class="fas fa-exclamation-triangle text-red-500 mr-2"></i>CVE-2024-21534</h2>
<p class="mb-4">jsonpath-plus versions before 10.2.0 contain a critical Remote Code Execution (RCE) vulnerability. The package uses Node's <code>vm</code> module in an unsafe manner with user-controlled input, allowing attackers to execute arbitrary JavaScript code on the server.</p>
<div class="bg-red-900 bg-opacity-70 p-3 rounded mt-4">
<p class="text-sm"><strong>CVSS Score:</strong> 9.8 (Critical)</p>
<p class="text-sm"><strong>Vulnerability Type:</strong> Remote Code Execution</p>
<p class="text-sm"><strong>Fixed Version:</strong> 10.2.0+</p>
<p class="text-sm"><strong>Current Version:</strong> 7.0.0 (Vulnerable)</p>
</div>
</div>
<div class="bg-gray-900 bg-opacity-70 p-4 rounded-lg mb-6">
<h3 class="text-lg font-bold text-white mb-3">Demonstration</h3>
<p class="text-gray-300 mb-4">Query JSON data using JSONPath. The vulnerable library processes user-supplied paths with unsafe vm usage:</p>
<form id="jsonpathForm" class="space-y-4">
<div>
<label for="jsonpath" class="block text-white text-sm font-bold mb-2">JSONPath Expression:</label>
<input type="text" id="jsonpath" class="w-full px-3 py-2 rounded-md border border-gray-600 bg-gray-700 text-white"
placeholder="e.g., $.users[*].name" value="$.users[*].name">
</div>
<div>
<label class="block text-white text-sm font-bold mb-2">Sample JSON:</label>
<textarea id="jsonData" class="w-full px-3 py-2 rounded-md border border-gray-600 bg-gray-700 text-white font-mono text-sm" rows="6">{"users": [{"name": "Alice", "id": 1}, {"name": "Bob", "id": 2}]}</textarea>
</div>
<button type="submit" class="w-full bg-red-600 hover:bg-red-700 text-white py-2 rounded-md transition">
<i class="fas fa-search mr-2"></i>Execute JSONPath Query
</button>
</form>
</div>
</div>
</div>
<script src="https://cdn.jsdelivr.net/particles.js/2.0.0/particles.min.js"></script>
<script>
particlesJS('particles-js', {
"particles": {"number": {"value": 80, "density": {"enable": true, "value_area": 800}}, "color": {"value": "#ffffff"},
"shape": {"type": "circle", "stroke": {"width": 0, "color": "#000000"}},
"opacity": {"value": 0.5}, "size": {"value": 3, "random": true},
"line_linked": {"enable": true, "distance": 150, "color": "#ffffff", "opacity": 0.4, "width": 1},
"move": {"enable": true, "speed": 6}, "interactivity": {"detect_on": "canvas", "events": {"onhover": {"enable": true, "mode": "grab"}, "onclick": {"enable": true, "mode": "push"}}},
"retina_detect": true
});
document.getElementById('jsonpathForm').addEventListener('submit', function(e) {
e.preventDefault();
fetch('/api/jsonpath', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
path: document.getElementById('jsonpath').value,
data: document.getElementById('jsonData').value
})
})
.then(r => r.json())
.then(data => {
if (data.error) alert('Error: ' + data.error);
else alert('Result: ' + JSON.stringify(data.result));
})
.catch(err => alert('Error: ' + err.message));
});
</script>
</body>
</html>