Headline
CVE-2023-38943: [Warning]Config Command Execute in ShuiZe_0x727 v1.0 · Issue #160 · 0x727/ShuiZe_0x727
ShuiZe_0x727 v1.0 was discovered to contain a remote command execution (RCE) vulnerability via the component /iniFile/config.ini.
Vulnerability Product: ShuiZe_0x727 v1.0
Vulnerability version: v1.0
Vulnerability type: Config Command Execute
Vulnerability Details:
Vulnerability location: ShuiZe_0x727/ShuiZe.py -> func: get_GitSensitiveInfo, ShuiZe_0x727/Plugins/infoGather/Intranet/scanPort/scanPort.py -> var: _web_ports
users may guided to set config:/ShuiZe_0x727/iniFile/config.ini, without checking data from unsafe config: /ShuiZe_0x727/iniFile/config.ini and eval variables in n ShuiZe_0x727/ShuiZe.py -> func: get_GitSensitiveInfo, ShuiZe_0x727/Plugins/infoGather/Intranet/scanPort/scanPort.py -> var: _web_ports, causes command execute
payload: ‘connect’ if import(‘os’).system(‘echo 触发成功’) else ‘connect’
PROVE:
Users need to set /ShuiZe_0x727/iniFile/config.ini -> var: GITHUB_TOKEN to trigger this vulnerability(or they download an entire unsafe /ShuiZe_0x727/iniFile/config.ini contains github_token and payload directly)
Firstly append a payload in list: /ShuiZe_0x727/iniFile/config.ini -> var: github_keywords
Secondly run ShuiZe
example: python3 ShuiZe.py -d steam.com
Thirdly you can find it successfully run cmd: echo 触发成功
proved Config Command Execute
discovered by leeya_bug