Command Injection in yogeshojha/rengine
Sep 1st 2021
RCE via the proxy feature of Rengine. Proxies can be added in Rengine for executables like httpx to use in a scan. This functionality can be used to inject a command and run arbitrary code.
🕵️♂️ Proof of Concept
Add this as the only proxy in the proxy list in the Proxy settings:
';echo RCE_IN_RENGINE', including the quotes. Then start a subdomain-only scan against a random target. Then watch the logs and after httpx is executed, RCE_IN_RENGINE should appear into the logs at the beginning of the line that ends with
-json -o /usr/src/scan_results/$results_dir/httpx.json. This is a simple & harmless PoC.
An attacker can execute arbitrary commands on the system.
Validate that added proxies are valid HTTP URLs before adding them to the database.