cbcvebase.
CVE-2020-10220
published 2020-03-07

CVE-2020-10220: An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
99.68%
99.9th percentile
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig<= 3.9.4

Detection & IOCsextracted from sources · hover to see the quote

path/commands.inc.php
path/lib/ajaxHandlers/ajaxArchiveFiles.php
path/lib/crud/userprocess.php
url/commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command
url{{BaseURL}}/commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,md5('{{num}}'),0x5B50574E5D3C42523E)%20limit%200,1),NULL--
commandINSERT INTO `users` (`id`,`username`,`password`,`userid`,`userlevel`,`email`,`timestamp`,`status`) VALUES (...);--
commandDELETE FROM `users` WHERE `username`='...';--
othershodan: title:"rConfig"
otherfofa: title="rconfig"
bytes
0x223E3C42523E5B50574E5D
bytes
0x5B50574E5D3C42523E
  • Detect SQLi exploitation attempts against rConfig by monitoring GET requests to /commands.inc.php containing 'searchColumn' parameter values with SQL keywords such as UNION, INSERT, DELETE, or comment sequences (--;)
  • Alert on GET requests to /lib/ajaxHandlers/ajaxArchiveFiles.php where the 'path' parameter contains backtick characters (`) or shell metacharacters, indicating command injection chained after SQLi auth bypass
  • Detect the SQLi canary marker strings [PWN] (hex 0x5B50574E5D) in HTTP responses from rConfig, which are injected by the exploit to exfiltrate data
  • Monitor for POST requests to /lib/crud/userprocess.php immediately following anomalous GET requests to /commands.inc.php, indicating the two-step SQLi-then-authenticate exploit chain
  • Look for the MD5 hash 21232f297a57a5a743894a0e4a801fc3 (hash of 'admin') appearing in SQL INSERT payloads within the searchColumn parameter of /commands.inc.php requests
  • Detect use of 'sudo zip' with the -T/-TT flags and a shell command as the test program in process execution logs, which is the privilege escalation technique chained with this CVE
  • The Nuclei detection template matches rConfig SQLi by checking HTTP 200 responses from /commands.inc.php containing the MD5 of a known numeric canary value injected via UNION SELECT CONCAT with hex markers
  • ·The Metasploit module requires HTTPS (SSL=true) to function correctly because rConfig's PHP code handles HTTP-to-HTTPS redirects; HTTP-only deployments may not be exploitable via this module
  • ·Root privilege escalation (CVE-2019-19585) is only possible if the rConfig install script was used, as it adds the Apache user to sudoers with NOPASSWD; manually installed instances may not be vulnerable to privilege escalation
  • ·The SQLi vulnerability in /commands.inc.php is unauthenticated — no valid credentials are required to trigger the initial injection and add an admin user

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.