Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
                             KLOG 2.4.1 SERVER COMMAND INJECTION VULNERABILITY

As you can see in the code line above , the user input received without any filtering in the login panel is running on the server.The purpose of code line is fail login user save on ‘log.sh’ file found in the path /klog/www/config/scripts/ .Shown below see log.sh source codes.

Where ‘logmsg’ variable holds the user value in here and Var / log / klog / 127.0.0.1 / kaudit.log file is saved as in the code. This situation cause be command injection vulnerability.

                                  VULNERABILITY DETECTION AND EXPLOITATION

In the first step “%26sleep+5%26” payload’s has been sent and it is provided to run on targert klog server .This situation Burpsuite is shown below in the screenshot.

Then, in order to automate the reverse shell connection on the server, the exploit shown in the screenshot below, was run and the shell operation was successfully performed in the listening NC connection.