Code Injection in sofianehamlaoui/lockdoor-framework

Valid

Reported on

May 28th 2021


✍️ Description

Multiple Command injection in infogathering.py file due to lack of sanitization.

🕵️‍♂️ Proof of Concept

Payload : `id`

Video: https://drive.google.com/file/d/1uozVKKHL1LSMvFW7ehX3eIoxsWFLCes1/view?usp=sharing

💥 Impact

tools ask for root to run so every command injected will run as root which may cause potential damage.

Note: sanitize.py needs fix

x3rz submitted a
6 months ago
Jamie Slome validated this vulnerability 6 months ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on 77ee32 6 months ago
x3rz has been awarded the fix bounty