Forum Discussion
Web App Hacking (Lab series): CVE-2022-2143 (iView2)
Hello all, I have spent way to long trying to complete the iView2 exploit. I was expecting a text box on the page for command entry, but I cannot get anything like that.
I have been able to send a post request to the NetworkServlet page using the provided exploit string and I know that the test.jsp is created because I can use the query parameter ?cmd=whoami and I get the mysqldump output showing "nt authority \system".
I cannot get any other query parameters to execute, even simple ls or dir commands. I found y4er's blog post and everything I see in terms of the syntax of the exploit appears to be identical to the lab.
Any directions/suggestions/hints would be greatly appreciated!
Thanks in advance.
J
11 Replies
- Bluesman
Bronze III
Hi!
I'm right where you are!: managing to execute several commands (not just ‘whoami’) but not the one needed to complete the lab :).
I think the key is to manage to code several *arguments* [0] in the exploit, not just one, getting ‘cmd’ [1] (for example) to read the necessary file.
Good luck!.
[0] https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html
[1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd- JWhit101
Bronze II
Thanks for your suggestions Bluesman. This did lead me down some alternative paths from what I was trying. I have tried many variations, but the format of "cmd.exe"&arg1="/c"&arg2="type"&arg3="C:\token.txt" (url encoding each arg separately, but left in this form for readability) gets me the closest, in that I get a response that does appear to at least be from what would show in a cmd window, although the data I need is not presented. (this response takes many minutes, whereas cmd?whoami comes back in seconds).
Have you had any additional success?
- Bluesman
Bronze III
Hello,
Unfortunately I have not been able to make much more progress; I can run several commands apart from ‘whoami’ (ex: 'help', 'systeminfo', etc) but I can't seem to hit the right one to read the token.
I've even tried via metasploit (I think you can search by the CVE or by ‘iView2’) and I can't get the session on the machine.
I will keep investigating, I think we are close :).
- Bluesman
Bronze III
Hello,
Thanks for the advice!
I hope I'll have time next week to get back to that lab and finish it :).
Have a great weekend.
Best regards,
- SamDickison
Community Manager
- Bluesman
Bronze III
Hi SamDickison
I haven't had time in the last few days... but yes, I hope to be able to complete this lab!.
Best regards,