Code Injection in z4nzu/hackingtool


Reported on

Jul 30th 2020


The hackingtool by Z4nzu is a pool of pentest tools that is useful to hackers to do fast hacking from information gathering to web attacks to wireless hacking and much more which are provided in terminal UI. It is built using python3. However it uses os.system() command in various places which takes in unsanitised input which can lead to problems like RCE. This tool is a single python file and can be set up inside a website which could give access via a web UI to the tool and return the result of the tool. It also requires sudo permissions to run. Thus every command that runs is executed as root which could lead to arbitrary code execution as root.

to join this conversation