Command injection in searchsploit exact mode

Searchsploit version: 4.1.3 (2020-06-22)
Project git page: https://github.com/offensive-security/exploitdb

Analysis

  1. Keywords of user will be crafted as search command at line 507
  ## If we are NOT to use the path name ("-t"/"-e")
  [[ "${FILEPATH}" -eq 0 ]] \
    && SEARCH="${SEARCH} | awk -F '[,]' '${CASE_TAG_FGREP}(\$3) ~ /${AWK_SEARCH}/ {print}'"

Screenshot at 2020-11-11 22-57-01
The full string of command is $SEARCH variable.
2. After being fully crafted, the command is executed by eval at line 601

  OUTPUT="$(
    ( \
      eval ${SEARCH}; \
      awk "/^(${ID}),/ {print}" "${path_in}/${file_in}" \
    ) \
    | sed 's/\"//g;   s_\\_\\\\_g' \
    | sort -u
  )"

Debug

  1. I added a “Breakpoint” to show full search command
  2. Show the crafted command
  3. The whole user’s input isn’t filtered so we can escape the awk search and inject malicious payloads
    Screenshot at 2020-11-11 23-06-12
    Close awk parameters part
    Screenshot at 2020-11-11 23-08-11

Exploit

  1. Crafted payload "foo' | echo * ;" shows all files and folders inside pwd (similar dir command)
  2. Create reverse shell connection

    Screenshot at 2020-11-11 13-15-10
  3. On Kali machine, if current user is added to kali-trust group, searchsploit is granted sudo with no password asking so attacker can have root’s reverse shell.
3 Likes

damn thats 1337

1 Like

only 1 think: “it is a bash script. Who cares” lul

1 Like

dyamn
hamckerman

1 Like