From 8fed51a443503c0d2df659d859f806b54f2e6c09 Mon Sep 17 00:00:00 2001 From: Yogesh Ojha Date: Mon, 23 May 2022 11:51:16 +0530 Subject: [PATCH] Fix command injection on proxy --- .github/SECURITY.md | 2 ++ web/reNgine/tasks.py | 19 +++++++++++-------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 20bdd2173..864e6a900 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -32,6 +32,8 @@ Thanks to these individuals for reporting Security Issues in reNgine. * [HIGH] [Blind command injection](https://huntr.dev/bounties/b255cf59-9ecd-4255-b9a2-b40b5ec6c572/) in CMS Detector, Reported by [Abdulrahman Abdullah](https://github.com/ph33rr) +* [HIGH] [Command Injection](https://huntr.dev/bounties/00e10ef7-ff5e-450f-84ae-88c793d1a607/) in via Proxy, Reported by [Koen Molenaar](https://github.com/k0enm) + * [LOW] [Stored XSS](https://huntr.dev/bounties/dfd440ba-4330-413c-8b21-a3d8bf02a67e/) on Import Targets via filename, Reported by [Veeshraj Ghimire](https://github.com/V35HR4J) * [LOW] [Stored XSS](https://huntr.dev/bounties/8ea5d3a6-f857-45e4-9473-e4d9cb8f7c77/) on HackerOne Markdown template, Reported by [Smaran Chand](https://github.com/smaranchand) and [Ayoub Elaich](https://github.com/sicks3c) diff --git a/web/reNgine/tasks.py b/web/reNgine/tasks.py index 058de19b9..aee8e6a3c 100644 --- a/web/reNgine/tasks.py +++ b/web/reNgine/tasks.py @@ -776,17 +776,18 @@ def http_crawler(task, domain, yaml_configuration, results_dir, activity_id): proxy = get_random_proxy() if proxy: - httpx_command += " --http-proxy '{}' ".format(proxy) + httpx_command += " --http-proxy {} ".format(proxy) if CUSTOM_HEADER in yaml_configuration and yaml_configuration[CUSTOM_HEADER]: httpx_command += ' -H "{}" '.format(yaml_configuration[CUSTOM_HEADER]) - httpx_command += ' -json -o {} '.format( - httpx_results_file + httpx_command += ' -json -o {} -l {}'.format( + httpx_results_file, + subdomain_scan_results_file ) - httpx_command = 'cat {} | {}'.format(subdomain_scan_results_file, httpx_command) - print(httpx_command) - os.system(httpx_command) + logger.info(httpx_command) + process = subprocess.Popen(httpx_command.split()) + process.wait() # alive subdomains from httpx alive_file = open(alive_file_location, 'w') @@ -916,7 +917,8 @@ def grab_screenshot(task, domain, yaml_configuration, results_dir, activity_id): logger.info(eyewitness_command) - os.system(eyewitness_command) + process = subprocess.Popen(eyewitness_command.split()) + process.wait() if os.path.isfile(result_csv_path): logger.info('Gathering Eyewitness results') @@ -1014,7 +1016,8 @@ def port_scanning( # run naabu logger.info(naabu_command) - os.system(naabu_command) + process = subprocess.Popen(naabu_command.split()) + process.wait() # writing port results try: