Forum Discussion

JWhit101's avatar
JWhit101
Icon for Bronze II rankBronze II
5 months ago
Solved

Web App Hacking (Lab series): CVE-2022-2143 (iView2)

Hello all, I have spent way to long trying to complete the iView2 exploit.  I was expecting a text box on the page for command entry, but I cannot get anything like that. I have been able to send a ...
  • JWhit101's avatar
    JWhit101
    5 months ago

    Bluesman​, I have been able to get this working with the help of support.  Although the lab specifically provides the exploit to use in the payload, it does not appear to be accurate. (Even any additional articles/examples I found from y4er or others do not seem to include this)

    The key is that the exploit payload must include the split command to extract the arguments that are comma separated. So {99,109,100})).split(\",\")).start().  This explains why a command like whoami, or some others that don't require arguments work fine, and why the error that we continued to get indicating "cmd,/c,xxxxxx" command not found seemed to be interpreted as the single name of a command.

    Once you include this split in the payload, I think you will have luck with just comma separating the arguments discussed earlier.  !!Don't forget to URL encode that space in type C:\token.txt!!

    I hope that sheds a little light and helps you through this one!

    J