Stocky POS Authenticated RCE via .env Injection

Vulnerability Summary: Stocky POS Authenticated Remote Code Execution Vulnerability Vulnerability Overview Vulnerable Files Vulnerability Principles 1. Arbitrary Environment Variable Injection (Insufficient Input Validation) The backend API responsible for updating system configurations (such as Twilio SMS settings) fails to adequately filter user input, directly writing input to the root directory configuration file Authenticated attackers can insert newline characters ( ) in the JSON Payload to bypass existing variable definitions and inject arbitrary attacker-controlled environment variables 2. Configuration Overwriting (.env Parsing Behavior) The Laravel framework parses files from top to bottom If a variable is defined multiple times, subsequent definitions override previous ones By injecting settings that typically appear at the bottom of files (such as ), attackers can overwrite critical system variables defined earlier, such as (which determines the execution path of the utility) 3. Remote Code Execution (RCE) Impact When an administrator triggers the "Generate Backup" function, the application reads the tampered variable and directly concatenates it into system commands executed by the PHP function without proper escaping Attackers can execute arbitrary operating system commands with web server privileges (such as Apache/Nginx), leading to complete system compromise, data exfiltration, and unauthorized access Impact Scope Attack Vector: Requires administrator authentication Severity Level: High (can lead to complete system control after authentication) Affected Functions: Twilio configuration updates, database backup generation Remediation Solutions No official fix was provided on the page; recommendations include: 1. Input Filtering: Strictly filter all input written to files, prohibiting special characters such as newlines 2. Parameterized Configuration: Avoid directly writing user input to configuration files; use secure configuration storage mechanisms 3. Command Execution Protection: Implement whitelist validation and escaping for parameters used in dangerous functions such as 4. Access Control: Restrict write permissions for files; separate configuration update permissions from system command execution permissions POC Code (Exploitation Code) Step 1: Prepare and Inject Malicious Payload After authenticating as administrator, send a POST request to the Twilio configuration update endpoint: The payload redefines through newline characters ( ), injects malicious commands (such as using for out-of-band data exfiltration), and uses comments to absorb subsequent hardcoded parameters: Effect on file after injection: Step 2: Trigger Payload (RCE) Send GET request to the database backup generation endpoint: This operation forces the backend to call the function using the tampered to execute commands. Step 3: Verify Successful Exploitation Check the attacker-controlled server (such as Webhook.site) to confirm receiving HTTP requests from the target server Or check the target server's active processes/endpoint protection logs (such as Windows Defender) to confirm successful command line execution and parameter hijacking

Goal Reached Thanks to every supporter — we hit 100%!

Stocky POS Authenticated RCE via .env Injection

More from this source