This project is a PoC to demonstrate the SSJI vulnerability in CVE-2014-7205, which opens the possibility of RCE (Remote Code Execution) on a target NodeJS Web Server.
The repository contains two web applications what-is-the-year and the-cutlery-shop, both showcase the same vulnerability. Written instructions on how to run each app are contained within their respective folders.
- Visit this write-up for details on exploitation of "What's the Year".
https://brutelogic.com.br/blog/dom-based-xss-the-3-sinks/
https://exchange.xforce.ibmcloud.com/vulnerabilities/96730
https://portswigger.net/kb/issues/00100d00_server-side-javascript-code-injection
https://s1gnalcha0s.github.io/node/2015/01/31/SSJS-webshell-injection.html
https://www.exploit-db.com/exploits/40689
https://www.openwall.com/lists/oss-security/2014/09/30/10