14Finger v1.1 was discovered to contain a remote command execution (RCE) vulnerability in the fingerprint function. This vulnerability allows attackers to execute arbitrary commands via a crafted payload.
Unauthenticated attackers can execute command injection through shell metacharacters, thereby RCE remote servers.
There is an unauthorized remote command execution vulnerability at the fingerprint scanning point of the core function
Through the audit source code, you can see that when only_spider is false, spider is true, you will execute the crawl_site() function
Continue to follow up, find that the submitted URL will be stitched to CMD, handed over to the subprocess module of Python for execution, and arbitrarily commands can be executed by constructing Payload.
Exploit:
The program is blocked, why? Because our command execution was successful!
SUCCEED!