Forum Discussion
Bronze IIWeb App Hacking (Lab series): CVE-2022-2143 (iView2)
Hello all, I have spent way to long trying to complete the iView2 exploit. I was expecting a text box on the page for command entry, but I cannot get anything like that.
I have been able to send a post request to the NetworkServlet page using the provided exploit string and I know that the test.jsp is created because I can use the query parameter ?cmd=whoami and I get the mysqldump output showing "nt authority \system".
I cannot get any other query parameters to execute, even simple ls or dir commands. I found y4er's blog post and everything I see in terms of the syntax of the exploit appears to be identical to the lab.
Any directions/suggestions/hints would be greatly appreciated!
Thanks in advance.
J
Bluesman, I have been able to get this working with the help of support. Although the lab specifically provides the exploit to use in the payload, it does not appear to be accurate. (Even any additional articles/examples I found from y4er or others do not seem to include this)
The key is that the exploit payload must include the split command to extract the arguments that are comma separated. So {99,109,100})).split(\",\")).start(). This explains why a command like whoami, or some others that don't require arguments work fine, and why the error that we continued to get indicating "cmd,/c,xxxxxx" command not found seemed to be interpreted as the single name of a command.
Once you include this split in the payload, I think you will have luck with just comma separating the arguments discussed earlier. !!Don't forget to URL encode that space in type C:\token.txt!!
I hope that sheds a little light and helps you through this one!
J
19 Replies
- SamDickison
Community Manager
- Bluesman
Bronze III
Hi SamDickison
I haven't had time in the last few days... but yes, I hope to be able to complete this lab!.
Best regards,
- Bluesman
Hi, SamDickison
Finally solved! :)
- Bluesman
Hi!
I'm right where you are!: managing to execute several commands (not just ‘whoami’) but not the one needed to complete the lab :).
I think the key is to manage to code several *arguments* [0] in the exploit, not just one, getting ‘cmd’ [1] (for example) to read the necessary file.
Good luck!.
[0] https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html
[1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd
JWhit101Thanks for your suggestions Bluesman. This did lead me down some alternative paths from what I was trying. I have tried many variations, but the format of "cmd.exe"&arg1="/c"&arg2="type"&arg3="C:\token.txt" (url encoding each arg separately, but left in this form for readability) gets me the closest, in that I get a response that does appear to at least be from what would show in a cmd window, although the data I need is not presented. (this response takes many minutes, whereas cmd?whoami comes back in seconds).
Have you had any additional success?
- Bluesman
Hello,
Unfortunately I have not been able to make much more progress; I can run several commands apart from ‘whoami’ (ex: 'help', 'systeminfo', etc) but I can't seem to hit the right one to read the token.
I've even tried via metasploit (I think you can search by the CVE or by ‘iView2’) and I can't get the session on the machine.
I will keep investigating, I think we are close :).
- GusC
I'm confused by this one.
should most things be done by command line\curl?
Should I be looking at IP:8080/webapps/iview3/test.jsp to see results from curl commands?
- I'm not even getting the results of whoami when I try that. I thought Id get to that point before messing with the fiddly split commands.
- JWhit101
Hi GusC,
Apologies if I am misunderstanding the question, or stating things you already know...
Test.jsp is the file you write to the file system using the vulnerable method(I used Burpe suite to intercept/modify/repeat the post command). I was receiving a database backup failed error 2 message, but the exploit had still worked and test.jsp was created.
I was more comfortable with using the browser over curl, so if you use the exact string in the briefing to create test.jsp, then the search parameter "?cmd=whoami" should return you a proper response. Any system command that accepts no parameters should give you some output (ex: attrib, fsutil, or help).
The problem is that you want to use cmd.exe (not to be confused with "?cmd=") and pass it a set of parameters. This is why the split needs to be added when creating the test.jsp. See the marked solution for the details about the split and how to format your query parameter.
Hope that helps.
J
- Bluesman
Hi GusC
JWhit101 nails it!.
Once you have test.jsp file on the server you have to *call it* (you can use any web browser to do it) and provide certain parameters in the appropriate path!. Remember: the *goal* of the lab is to read the contents of a specific file on a Windows machine.
The key is: how would you do it, via cmd, and *without* closing the command line?. You have all the answers in this thread :).
Good luck!
