CVE-2020-10549
published 2020-06-04CVE-2020-10549: rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.16%
98.3th percentile
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | <= 3.9.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/snippets.inc.php?search=True&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL,NULL+--+&searchColumn=snippetName&searchOption=contains
bytes
0x223e3c42523e5b70726f6a6563742d646973636f766572795d
- →Detect unauthenticated GET requests to /snippets.inc.php with SQL UNION injection patterns in the 'searchField' parameter (e.g., UNION SELECT with NULL padding and comment terminator --).
- →The exploit requires no authentication (unauthenticated SQL injection); alert on any external/unauthenticated access to snippets.inc.php with query parameters 'search=True' and 'searchField' containing SQL keywords. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed rConfig instances: Shodan 'http.title:"rconfig"', FOFA 'title="rconfig"', Google 'intitle:"rconfig"'.
- →Successful exploitation returns HTTP 200 with the canary string '[project-discovery]' in the response body, injected via the hex-encoded concat payload.
- →Post-exploitation lateral movement risk: rConfig stores monitored network device passwords in cleartext by default; a successful SQL dump may yield credentials for all managed devices. ↗
- ·Cleartext password storage is a default rConfig configuration that amplifies the impact of this SQLi; defenders should verify whether their rConfig deployment stores node passwords in cleartext. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
rConfig <=3.9.4 - SQL Injection
nuclei·CVSS 9.8
CVE-2020-10549 [CRITICAL] rConfig <=3.9.4 - SQL Injection
rConfig 3.9.4 or apply the provided patch to mitigate the SQL Injection vulnerability.
reference:
- https://github.com/theguly/exploits/blob/master/CVE-2020-10549.py
- https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2020-10549
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Elsfa7-110/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-10549
cwe-id: CWE-89
epss-score: 0.92992
epss-percentile: 0.9978
cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: rconfig
product: rconfig
shodan-query: http.title:"rconfig"
fofa-query: title="rconfig"
google-query: intitle:"rconfig"
tags: cve,cve2020,rconfig,sqli,vuln
No writeups or analysis indexed.
2020-06-04
Published