[Warning]Config Command Execute in ShuiZe_0x727 v1.0

Question

[Warning]Config Command Execute in ShuiZe_0x727 v1.0

Leeyangee opened this issue a year ago · 0 comments

Vulnerability Product: ShuiZe_0x727 v1.0
Vulnerability version: v1.0
Vulnerability type: Config Command Execute
Vulnerability Details:
Vulnerability location: ShuiZe_0x727/ShuiZe.py -> func: get_GitSensitiveInfo, ShuiZe_0x727/Plugins/infoGather/Intranet/scanPort/scanPort.py -> var: _web_ports

users may guided to set config:/ShuiZe_0x727/iniFile/config.ini, without checking data from unsafe config: /ShuiZe_0x727/iniFile/config.ini and eval variables in n ShuiZe_0x727/ShuiZe.py -> func: get_GitSensitiveInfo, ShuiZe_0x727/Plugins/infoGather/Intranet/scanPort/scanPort.py -> var: _web_ports, causes command execute

payload: 'connect' if __import__('os').system('echo 触发成功') else 'connect'

PROVE:

Users need to set /ShuiZe_0x727/iniFile/config.ini -> var: GITHUB_TOKEN to trigger this vulnerability(or they download an entire unsafe /ShuiZe_0x727/iniFile/config.ini contains github_token and payload directly)

Firstly append a payload in list: /ShuiZe_0x727/iniFile/config.ini -> var: github_keywords

Secondly run ShuiZe
example: python3 ShuiZe.py -d steam.com

Thirdly you can find it successfully run cmd: echo 触发成功

proved Config Command Execute

discovered by leeya_bug