liangliangyy DjangoBlog Command Injection Vulnerability in WeChat Bot Interface

A command injection vulnerability has been identified in liangliangyy DjangoBlog versions through 2.1.0.0. The issue arises in the WeChat Bot Interface, specifically within the CommandHandler function of servermanager/api/commonapi.py. This vulnerability allows remote execution of arbitrary commands by manipulating the Source argument, as the application fails to properly sanitize user input before passing it to the operating system command execution function. The /robot endpoint is publicly accessible, and the hardcoded admin password can be easily exploited by bypassing the session-based lockout mechanism.

Impact

Exploitation of this vulnerability leads to remote code execution on the server, with the executed commands running under the application's process privileges. This allows an authenticated user to gain full control over the server.

Reproduction

To reproduce this vulnerability, first authenticate with the WeChat bot using the hardcoded admin password, which is a double-MD5 hash. Once authenticated, send a message to the bot's /robot endpoint, including a Source argument that is manipulated to inject a command. The command will be executed on the server, and the response can be observed to confirm successful exploitation.