Fix command injection on proxy

yogeshojha · May 23, 2022 · 8fed51a · 8fed51a
1 parent 2c694f6
commit 8fed51a
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -32,6 +32,8 @@ Thanks to these individuals for reporting Security Issues in reNgine.
 
 * [HIGH] [Blind command injection](https://huntr.dev/bounties/b255cf59-9ecd-4255-b9a2-b40b5ec6c572/) in CMS Detector, Reported by [Abdulrahman Abdullah](https://github.com/ph33rr)
 
+* [HIGH] [Command Injection](https://huntr.dev/bounties/00e10ef7-ff5e-450f-84ae-88c793d1a607/) in via Proxy, Reported by [Koen Molenaar](https://github.com/k0enm)
+
 * [LOW] [Stored XSS](https://huntr.dev/bounties/dfd440ba-4330-413c-8b21-a3d8bf02a67e/) on Import Targets via filename, Reported by [Veeshraj Ghimire](https://github.com/V35HR4J)
 
 * [LOW] [Stored XSS](https://huntr.dev/bounties/8ea5d3a6-f857-45e4-9473-e4d9cb8f7c77/) on HackerOne Markdown template, Reported by [Smaran Chand](https://github.com/smaranchand) and [Ayoub Elaich](https://github.com/sicks3c)

diff --git a/web/reNgine/tasks.py b/web/reNgine/tasks.py
@@ -776,17 +776,18 @@ def http_crawler(task, domain, yaml_configuration, results_dir, activity_id):
 	proxy = get_random_proxy()
 
 	if proxy:
-		httpx_command += " --http-proxy '{}' ".format(proxy)
+		httpx_command += " --http-proxy {} ".format(proxy)
 
 	if CUSTOM_HEADER in yaml_configuration and yaml_configuration[CUSTOM_HEADER]:
 		httpx_command += ' -H "{}" '.format(yaml_configuration[CUSTOM_HEADER])
 
-	httpx_command += ' -json -o {} '.format(
-		httpx_results_file
+	httpx_command += ' -json -o {} -l {}'.format(
+		httpx_results_file,
+		subdomain_scan_results_file
 	)
-	httpx_command = 'cat {} | {}'.format(subdomain_scan_results_file, httpx_command)
-	print(httpx_command)
-	os.system(httpx_command)
+	logger.info(httpx_command)
+	process = subprocess.Popen(httpx_command.split())
+	process.wait()
 
 	# alive subdomains from httpx
 	alive_file = open(alive_file_location, 'w')
@@ -916,7 +917,8 @@ def grab_screenshot(task, domain, yaml_configuration, results_dir, activity_id):
 
 	logger.info(eyewitness_command)
 
-	os.system(eyewitness_command)
+	process = subprocess.Popen(eyewitness_command.split())
+	process.wait()
 
 	if os.path.isfile(result_csv_path):
 		logger.info('Gathering Eyewitness results')
@@ -1014,7 +1016,8 @@ def port_scanning(
 
 	# run naabu
 	logger.info(naabu_command)
-	os.system(naabu_command)
+	process = subprocess.Popen(naabu_command.split())
+	process.wait()
 
 	# writing port results
 	try: