Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Fixed Code Execution bug on fsociety #1

Merged
merged 10 commits into from
Jul 28, 2020
Merged

Fixed Code Execution bug on fsociety #1

Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
b34b267
bug fixes
d3m0n-r00t Jul 24, 2020
d6e7ffb
bug fix
d3m0n-r00t Jul 24, 2020
0a12e56
update bug fix
d3m0n-r00t Jul 25, 2020
31ce86e
update fix
d3m0n-r00t Jul 25, 2020
67cd70b
fux updated
d3m0n-r00t Jul 25, 2020
d8477b3
fix updates
d3m0n-r00t Jul 25, 2020
ba18e08
all fixes
d3m0n-r00t Jul 26, 2020
9d28d77
all fixes
d3m0n-r00t Jul 26, 2020
c760f9e
update all fixes
d3m0n-r00t Jul 26, 2020
00505d6
update all fixes
d3m0n-r00t Jul 26, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 48 additions & 12 deletions fsociety.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -466,8 +466,18 @@ def install(self):
def run(self):
clearScr()
print(self.nmapLogo)
target = raw_input(self.targetPrompt)
self.menu(target)
target = raw_input(self.targetPrompt).split(' ')[0]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Splitting the hostname or the url, which are user-supplied inputs doesn't prevent malicious attackers from injecting successfully other commands like ls or shutdown, which could provoke anyway a DOS issue or unexpected behaviors.

The target should be sanitized properly 😄

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can confirm what I'm saying just inputting as target the following url: test.cominvalid&&ls , and you'll receive in the final output also the ls command execution, which shows the file in the directory.

Video attached:
ezgif-2-85e2420b9482

test_target = target.split('/')
try:
socket.gethostbyname(test_target[0])
if len(test_target) > 1:
try:
int(test_target[1])
except KeyboardInterrupt:
informationGatheringMenu()
self.menu(target)
except KeyboardInterrupt:
informationGatheringMenu()

def menu(self, target):
clearScr()
Expand Down Expand Up @@ -558,8 +568,17 @@ def __init__(self):
self.install()
clearScr()
print(self.wpscanLogo)
target = raw_input(" Enter a Target: ")
self.menu(target)
target = raw_input(" Enter a Target: ").split(' ')[0]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Splitting != sanitizing inputs

test_target = ''
if target[0:4] == 'http':
test_target = target
else:
test_target = 'http://'+target
try:
urllib2.urlopen(test_target)
self.menu(target)
except KeyboardInterrupt:
informationGatheringMenu()

def installed(self):
return (os.path.isdir(self.installDir))
Expand Down Expand Up @@ -618,10 +637,19 @@ def __init__(self):
self.install()
clearScr()
print(self.CMSmapLogo)
target = raw_input(" Enter a Target: ")
self.run(target)
response = raw_input(continuePrompt)

target = raw_input(" Enter a Target: ").split(' ')[0]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Splitting != sanitizing

test_target = ''
if target[0:4] == 'http':
test_target = target
else:
test_target = 'http://'+target
try:
urllib2.urlopen(test_target)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi 😄,
thanks again for the changes 👍

The characters used inside a valid url are also evaluated as valid bash directives, which leads anyway to arbitrary command execution in minor cases.
The example below is made using the http://evil.com?||nslookup PoC payload, and can bypass the protections applied through urllib2.urlopen().

Screencast-07-25-2020-110717-PM
(please excuse the upper case when typing ... I hadn't clicked the right key)

I understand it's difficult fixing this type of issue, so I think it's ok using also an external library to validate the inputs obtained and avoid arbitrary command injection 👍

Regards,
Mik

self.run(target)
response = raw_input(continuePrompt)
except KeyboardInterrupt:
informationGatheringMenu()

def installed(self):
return (os.path.isdir(self.installDir))

Expand Down Expand Up @@ -686,9 +714,18 @@ def __init__(self):
self.install()
clearScr()
print(self.doorkLogo)
target = raw_input(" Enter a Target: ")
self.run(target)
response = raw_input(continuePrompt)
target = raw_input(" Enter a Target: ").split(' ')[0]
test_target = ''
if target[0:4] == 'http':
test_target = target
else:
test_target = 'http://'+target
try:
urllib2.urlopen(test_target)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same above: the urllib2.urlopen checks if the url is valid, but a specially crafted input can still be dangerous and lead to arbitrary command injection.

Mik

self.run(target)
response = raw_input(continuePrompt)
except KeyboardInterrupt:
informationGatheringMenu()

def installed(self):
return (os.path.isdir(self.installDir))
Expand Down Expand Up @@ -1073,7 +1110,6 @@ def bsqlbf():
os.system("perl bsqlbf.pl -url %s" % cbsq)
os.system("rm bsqlbf.pl")


def atscan():
print ("Do You To Install ATSCAN ?")
if yesOrNo():
Expand Down