关联漏洞
标题:
ISPConfig 安全漏洞
(CVE-2023-46818)
描述:ISPConfig是一套基于Linux的开源主机控制面板,它可通过Web控制面板管理多台服务器、开设网站、监控服务器运行状况等。 ISPConfig 3.2.11p1 之前版本存在安全漏洞,该漏洞源于如果启用了 admin_allow_langedit,管理员可以在语言文件编辑器中实现 PHP 代码注入。
描述
CVE-2023-46818 IPSConfig Python exploit
介绍
# CVE-2023-46818 exploit
This is a python version of the original php script for the vulnerability affecting ispconfig 3.2.11 and previous versions.
Original PHP source: https://packetstormsecurity.com/files/176126/ISPConfig-3.2.11-PHP-Code-Injection.html
This proof-of-concept is intended for educational purposes only.
## Usage
```
python exploit.py http://10.10.10.10/ adminuser passwd
```
## Vulnerability description
User input passed through the "records" POST parameter to
/admin/language_edit.php is not properly sanitized before being used
to dynamically generate PHP code that will be executed by the
application. This can be exploited by malicious administrator users to
inject and execute arbitrary PHP code on the web server.
## Credits
Credits to Egidio Romano.
文件快照
[4.0K] /data/pocs/104d4c48a504b088bedf97bfeea2d99f9c647da2
├── [4.0K] exploit.py
└── [ 784] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。