Published: 07/03/2020 Updated: 12/03/2020

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 761

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

An issue exists in rConfig up to and including 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rconfig rconfig

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Rconf ...

# Exploit Title: rConfig 39 - 'searchColumn' SQL Injection # Exploit Author: vikingfr # Date: 2020-03-03 # CVE-2020-10220 # Exploit link : githubcom/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220py # Vendor Homepage: rconfigcom/ (see also : githubcom/rconfig/rconfig) # Software Link : wwwrconfigc ...

rConfig version 39 suffers from a remote SQL injection vulnerability ...

This Metasploit module takes advantage of a command injection vulnerability in the path parameter of the ajax archive file functionality within the rConfig web interface in order to execute the payload Valid credentials for a user with administrative privileges are required However, this module can bypass authentication via SQL injection ...

rConfig version 394 searchField unauthenticated remote root code execution exploit ...

The following URL adds a user "apple" with password "apple" to the rConfig service. After running this, you can then login with the credentials apple:admin

rConfig-394-SQL-injection-for-creating-admin CVE-2020-10220 The following URL adds a user "apple" with password "apple" to the rConfig service After running this, you can then login with the credentials apple:admin 1921689557:8081/commandsincphp?searchOption=contains&searchField=vuln&search=search&searchColumn=command

Exploit codes for rconfig <= 3.9.4

exploits Three exploits for rconfig <= 394 : CVE-2019-19509 : authenticated RCE CVE-2019-19585 : Local Privilege Escalation (root) CVE-2020-10220 : unauthenticated SQLi rconfig_root_RCE_unauthpy : chaining the three CVEs above to get root reverse shell without authentication rconfig_ajaxarchivefiles_rcerb : Rconfig 3x - Chained Remote

CWE-89 https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.py http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html https://nvd.nist.gov https://github.com/mauricerizat/rConfig-3.9.4-SQL-injection-for-creating-admin-user https://www.exploit-db.com/exploits/48223

CVE-2020-10220

Vulnerability Summary

Vulnerability Trend

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect