trojan icon indicating copy to clipboard operation
trojan copied to clipboard
verified publisher icon Jrohy

vulnerability:No authentication RCE

Open Tritium0041 opened this issue 7 months ago • 1 comments

https://github.com/Tritium0041/Jrohy-trojan-RCE-POC

There is a critical command injection (Remote Code Execution, RCE) vulnerability in the /trojan/log endpoint of the jrohy-trojan web interface. The issue arises because user input from the line query parameter is concatenated directly into a shell command without proper sanitization. As a result, remote attackers can inject arbitrary shell commands, leading to full command execution on the server with the privileges of the web service. This allows attackers to compromise the server, steal sensitive data, or further escalate their attack. No authentication is required for exploitation due to CVE-2024-55215, making the vulnerability even more dangerous.

Tritium0041 avatar May 29 '25 08:05 Tritium0041

😓,密码老被改,流量老是用超,原来大漏洞啊,汗,刚重装了系统,把代码里的web管理移除了,自己编译替换了。

chekun avatar Jun 18 '25 03:06 chekun