Blind command injection in yogeshojha/rengine
Valid
Reported on
Apr 29th 2022
Description
Hello , its my first report in huntr.dev
fast code review : file https://github.com/yogeshojha/rengine/blob/master/web/api/views.py#L820
class CMSDetector(APIView):
def get(self, request):
req = self.request
url = req.query_params.get('url')
#save_db = True if 'save_db' in req.query_params else False
response = {'status': False}
try:
response = get_cms_details(url)
except Exception as e:
response = {'status': False, 'message': str(e)}
return Response(response)
param : url
file 2 : https://github.com/yogeshojha/rengine/blob/master/web/reNgine/common_func.py#L668
def get_cms_details(url):
# this function will fetch cms details using cms_detector
response = {}
cms_detector_command = 'python3 /usr/src/github/CMSeeK/cmseek.py -u {} --random-agent --batch --follow-redirect'.format(url)
os.system(cms_detector_command)
response['status'] = False
response['message'] = 'Could not detect CMS!'
parsed_url = urlparse(url)
domain_name = parsed_url.hostname
port = parsed_url.port
find_dir = domain_name
if port:
find_dir += '_{}'.format(port)
print(url)
print(find_dir)
Proof of Concept
http:///api/tools/cms_detector/?format=json&url=ls;ls;ls
Impact
command injection
We are processing your report and will contact the
yogeshojha/rengine
team within 24 hours.
2 months ago
We have contacted a member of the
yogeshojha/rengine
team and are waiting to hear back
2 months ago
We have sent a
follow up to the
yogeshojha/rengine
team.
We will try again in 7 days.
2 months ago
We have sent a
second
follow up to the
yogeshojha/rengine
team.
We will try again in 10 days.
2 months ago
This was a great finding @ph33rr.
I believe this deserves a CVE ID, please go ahead and initiate the process for CVE ID, and let me know if I could be of any help.
Thank you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher's credibility has increased: +7
The fix bounty has been dropped
This was a great finding @ph33rr.
I believe this deserves a CVE ID, please go ahead and initiate the process for CVE ID, and let me know if I could be of any help.
Thank you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
@admin, how do I personally award the researcher bounty? I think we have exhausted the bounty amount for this month, so I would like to award him personally.
Thanks
@yogeshojha - this is certainly something I am sure we can help you with. Are you able to just send us an e-mail (info@huntr.dev
) so that we can better process your request?
to join this conversation