Forum Discussion
Bronze IIWeb App Hacking (Lab series): CVE-2022-2143 (iView2)
Bluesman, I have been able to get this working with the help of support. Although the lab specifically provides the exploit to use in the payload, it does not appear to be accurate. (Even any additional articles/examples I found from y4er or others do not seem to include this)
The key is that the exploit payload must include the split command to extract the arguments that are comma separated. So {99,109,100})).split(\",\")).start(). This explains why a command like whoami, or some others that don't require arguments work fine, and why the error that we continued to get indicating "cmd,/c,xxxxxx" command not found seemed to be interpreted as the single name of a command.
Once you include this split in the payload, I think you will have luck with just comma separating the arguments discussed earlier. !!Don't forget to URL encode that space in type C:\token.txt!!
I hope that sheds a little light and helps you through this one!
J
Bronze IIIHi!
I'm right where you are!: managing to execute several commands (not just ‘whoami’) but not the one needed to complete the lab :).
I think the key is to manage to code several *arguments* [0] in the exploit, not just one, getting ‘cmd’ [1] (for example) to read the necessary file.
Good luck!.
[0] https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html
[1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd
JWhit101Thanks for your suggestions Bluesman. This did lead me down some alternative paths from what I was trying. I have tried many variations, but the format of "cmd.exe"&arg1="/c"&arg2="type"&arg3="C:\token.txt" (url encoding each arg separately, but left in this form for readability) gets me the closest, in that I get a response that does appear to at least be from what would show in a cmd window, although the data I need is not presented. (this response takes many minutes, whereas cmd?whoami comes back in seconds).
Have you had any additional success?
- Bluesman
Hello,
Unfortunately I have not been able to make much more progress; I can run several commands apart from ‘whoami’ (ex: 'help', 'systeminfo', etc) but I can't seem to hit the right one to read the token.
I've even tried via metasploit (I think you can search by the CVE or by ‘iView2’) and I can't get the session on the machine.
I will keep investigating, I think we are close :).
- JWhit101
Bluesman, I have been able to get this working with the help of support. Although the lab specifically provides the exploit to use in the payload, it does not appear to be accurate. (Even any additional articles/examples I found from y4er or others do not seem to include this)
The key is that the exploit payload must include the split command to extract the arguments that are comma separated. So {99,109,100})).split(\",\")).start(). This explains why a command like whoami, or some others that don't require arguments work fine, and why the error that we continued to get indicating "cmd,/c,xxxxxx" command not found seemed to be interpreted as the single name of a command.
Once you include this split in the payload, I think you will have luck with just comma separating the arguments discussed earlier. !!Don't forget to URL encode that space in type C:\token.txt!!
I hope that sheds a little light and helps you through this one!
J
