search

pikpikcu / Pentest-Tools-Framework

Pentest Tools Framework is a database of exploits, Scanners and tools for penetration testing. Pentest is a powerful framework includes a lot of tools for beginners. You can explore kernel vulnerabilities, network vulnerabilities
GNU General Public License v3.0
425 stars 100 forks source link

Vulnerability - Executing commands with unsanitized folder name #1

Open randsec opened 4 years ago

randsec commented 4 years ago

Impact

What kind of vulnerability is it? Command execution over an unsanitized folder name.

Vulnerable file

XSStrike/core/updater.py

Vulnerable code

line 33,34: os.system('git clone --quiet https://github.com/s0md3v/XSStrike %s' % (folder)) The folder variable is taken from the current directory. lines 26,27:

currentPath = os.getcwd().split('/')
folder = currentPath[-1]

If the user creates a folder with a linux command on it, the command will be executed.

POC

Create folder with command injection on it: mkdir "command_injection;whoami;id"

Call os.system: os.system( 'git clone --quiet https://github.com/s0md3v/XSStrike %s' % (folder))

The system will clone the repo and then will execute commands: whoami; id

Below I wrote a POC. It's the same os.system call but modified to list the folder's contents instead of clone a repo. It won't affect exploitability.

import os

currentPath = os.getcwd().split('/')
folder = currentPath[-1]

print ("[i] Current folder name: {}".format(folder))
print ("[!] I'm going to call the os.system command!...")
os.system('ls %s' % (folder))