BYOB Command Injection Vulnerability Allowing Arbitrary Command Execution on the Server
Vulnerability
A command injection vulnerability has been identified in the payload build page of BYOB (Build Your Own Botnet) version 2.0. This issue allows attackers to execute arbitrary commands on the server by sending crafted build parameters. The vulnerability is located in the core generator file, specifically 'core/generators.py'.
Impact
Exploitation of this vulnerability allows for unauthenticated remote command execution on the server where BYOB is hosted.
Reproduction
To reproduce this vulnerability, first register a new admin user by sending a POST request to the 'api/file/add' endpoint with a crafted SQLite database that includes the admin user credentials. After successfully registering the user, log in with the new admin account. Once logged in, navigate to the payload generation page and send a POST request to the 'api/payload/generate' endpoint. Include a command injection payload in the 'operating_system' parameter, which will be executed on the server.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.