KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
Klog Server 2.4.1 - Command Injection (Authenticated)
I have detected a authenticated command injection vulnerability in the Klog Server <=2.4.1 . async.php file includes that source parameter is executed via shell_exec() function without input validation.
As you can see above image, if action parameter is set as stream , command injection could be possible due to source parameter is executed by shell_exec() function through command variable.
To validate this vulnerability , sleep command is used. For ;sleep+5; command , the server stays 5 seconds or so.
When ;whoami; command is executed , the output indicates privileges as apache user . However , apache user is a member of sudo group so that we can execute commad with root privileges.
from argparse import ArgumentParser, Namespace
dsc ="Klog Server 2.4.1 - Command Injection (Authenticated)"