mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
18 lines
605 B
JavaScript
18 lines
605 B
JavaScript
// Command injection — positive fixture.
|
|
// Vulnerable: passes user input directly to shell via execSync.
|
|
// Entry: runPing(host) Cap: CODE_EXEC
|
|
// Expected verdict: Confirmed ("; echo NYX_PWN_CMDI" payload echoes marker)
|
|
|
|
const { execSync } = require('child_process');
|
|
|
|
function runPing(host) {
|
|
process.stdout.write('__NYX_SINK_HIT__\n');
|
|
try {
|
|
const out = execSync('echo hello ' + host, { encoding: 'utf8', timeout: 5000 });
|
|
process.stdout.write(out);
|
|
} catch (e) {
|
|
process.stdout.write((e.stdout || '') + (e.stderr || ''));
|
|
}
|
|
}
|
|
|
|
module.exports = { runPing };
|