New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add RaspAP Unauthenticated Command Injection (CVE-2022-39986) Exploit #18263
Conversation
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the great module @EgeBalci, just a couple minor suggestions.
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
I haven't looked at the configuration of RaspAP, but if the user under which it's running has blanket |
That is not the case for my Ubuntu php7 setup. |
Thanks @EgeBalci, the module looks great. I just pushed a quick change to update the documentation file to reflect that the default payload for the Unix Command target now returns a meterpreter session. I'll merge this once the CI tests finish running.
|
Release NotesThis PR adds an unauthenticated command injection module for the RaspAP webgui application. |
Hello 馃憢
This module exploits the unquthenticated command injection veulnerability (CVE-2023-38096) in the raspap-webgui project. 聽The vulnerability exists in RaspAP versions 2.8.0 thru 2.8.7. It allows unauthenticated attackers to execute arbitrary commands via the
cfg_id
parameter in/ajax/openvpn/activate_ovpncfg.php
.Testing Environment Setup
For installing the vulnerable version follow the steps below,
/var/www/html
directorygit checkout 2.8.0
for switching to the vulnerable versionNote: Project can also be installed inside ubuntu/debian docker containers
Verification
List the steps needed to make sure this thing works
use exploit/unix/http/raspap_rce
set RHOST [IP]
set RPORT [PORT]
check