Handlebars.js 4.1.1 Server Side Template Injection exploitation – running system commands with a Node.js RCE when require() is not available?


I’m currently reading the following article and trying to exploit the vulnerability (Handlebars.js 4.1.1 Server Side Template Injection):

http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html

Sure enough, the proof of concept code works fine. Specifically, the final snippet from Matias works in my setup. However, after all those context changes, I no longer have access to the require keyword, and therefore I cannot do require('child_process').exec(), because it says require is not defined.

I tried looking for global variables in the current context which might help me, but found nothing.

I also considered copying the whole child_process library’s source code into my payload, but that’s not trivial, since the library uses other libraries and some specific variables, which are not initialized for me (primordials, for example).

In order to continue the assignment, I need to get a reverse shell on the target machine. How can I use the RCE to run system commands/get a reverse shell if I cannot use require()?