Code Injection in z4nzu/hackingtool

Valid

Reported on

Jul 30th 2020

Description

The hackingtool by Z4nzu is a pool of pentest tools that is useful to hackers to do fast hacking from information gathering to web attacks to wireless hacking and much more which are provided in terminal UI. It is built using python3. However it uses os.system() command in various places which takes in unsanitised input which can lead to problems like RCE. This tool is a single python file and can be set up inside a website which could give access via a web UI to the tool and return the result of the tool. It also requires sudo permissions to run. Thus every command that runs is executed as root which could lead to arbitrary code execution as root.

Occurrences

hackingtool.py L2379

hackingtool.py L1649

hackingtool.py L2925

hackingtool.py L2573

hackingtool.py L2632

hackingtool.py L1672

hackingtool.py L1960

hackingtool.py L429

hackingtool.py L381

hackingtool.py L2564

hackingtool.py L2654

hackingtool.py L1644

hackingtool.py L249

hackingtool.py L1920

hackingtool.py L2398

to join this conversation