Web App Hacking (Lab series): CVE-2022-2143 (iView2)

Question

Hello all, I have spent way to long trying to complete the iView2 exploit. I was expecting a text box on the page for command entry, but I cannot get anything like that.

I have been able to send a post request to the NetworkServlet page using the provided exploit string and I know that the test.jsp is created because I can use the query parameter ?cmd=whoami and I get the mysqldump output showing "nt authority \system".

I cannot get any other query parameters to execute, even simple ls or dir commands. I found y4er's blog post and everything I see in terms of the syntax of the exploit appears to be identical to the lab.

Any directions/suggestions/hints would be greatly appreciated!

Thanks in advance.

J

bluesman · Answer

Hello,Unfortunately I have not been able to make much more progress; I can run several commands apart from ‘whoami’ (ex: 'help', 'systeminfo', etc) but I can't seem to hit the right one to read the token.I've even tried via metasploit (I think you can search by the CVE or by ‘iView2’) and I can't get the session on the machine.I will keep investigating, I think we are close :).

bluesman · Answer

Hi!I'm right where you are!: managing to execute several commands (not just ‘whoami’) but not the one needed to complete the lab :).I think the key is to manage to code several *arguments* [0] in the exploit, not just one, getting ‘cmd’ [1] (for example) to read the necessary file.Good luck!.[0] https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html[1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd

jwhit101 · Answer

Thanks for your suggestions Bluesman​.&nbsp; This did lead me down some alternative paths from what I was trying.&nbsp; I have tried many variations, but the format of "cmd.exe"&amp;arg1="/c"&amp;arg2="type"&amp;arg3="C:	oken.txt" (url encoding each arg separately, but left in this form for readability) gets me the closest, in that I get a response that does appear to at least be from what would show in a cmd window, although the data I need is not presented. (this response takes many minutes, whereas cmd?whoami comes back in seconds).Have you had any additional success?

jwhit101 · Answer

Hi Bluesman​ &nbsp;I've enumerated the commands that I believe are available in system32 thinking that maybe there was another that would be used to access file contents, but I don't think so...either a 500 error when they don't exist, a proper response, or response hangs, indicating to me that they are waiting for additional arguments.I have been in touch with support and they provided a parameter query, but it does not work, the entire cmd being passed just keeps being interpreted as the file to find, not a file with arguments.&nbsp; I will keep you posted on my progress.&nbsp;

netcat · Answer

I think the key is to manage to code several *arguments* [0] in the exploit, not just one, getting ‘cmd’ [1] (for example) to read the necessary file.Looking at the test.jsp source code, does it accept any arguments at all? I've seen in this thread arg1, arg2, arg3, but they had no effect. But does your test.jsp accept arguments?

Forum Discussion

Web App Hacking (Lab series): CVE-2022-2143 (iView2)

9 Replies

Featured Places

Help & Support Forum

Related Content

Web App Hacking (Lab series): CVE-2022-42889 (Text4Shell) – Offensive

Re: APT29 Threat Hunting with Elasticsearch: Ep.5 – LNK File Analysis - Tools?

Historic Steganography Lab

Re: What is a "Demonstrate" Lab and how does it differ from other types of lab?

What is the Human Connection Challenge?

Recent Discussions

Radare2 Reverse Engineering: Ep.2 – Windows Binary Part 2

ICS Malware: Triton - unpack trilog.exe

Privilege Escalation: Windows – Automated Enumeration

Web App Hacking (Lab series): CVE-2022-42889 (Text4Shell) – Offensive

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs