Forum Discussion
Web App Hacking (Lab series): CVE-2022-2143 (iView2)
- 5 months ago
Bluesman, I have been able to get this working with the help of support. Although the lab specifically provides the exploit to use in the payload, it does not appear to be accurate. (Even any additional articles/examples I found from y4er or others do not seem to include this)
The key is that the exploit payload must include the split command to extract the arguments that are comma separated. So {99,109,100})).split(\",\")).start(). This explains why a command like whoami, or some others that don't require arguments work fine, and why the error that we continued to get indicating "cmd,/c,xxxxxx" command not found seemed to be interpreted as the single name of a command.
Once you include this split in the payload, I think you will have luck with just comma separating the arguments discussed earlier. !!Don't forget to URL encode that space in type C:\token.txt!!
I hope that sheds a little light and helps you through this one!
J
I'm confused by this one.
should most things be done by command line\curl?
Should I be looking at IP:8080/webapps/iview3/test.jsp to see results from curl commands?
- I'm not even getting the results of whoami when I try that. I thought Id get to that point before messing with the fiddly split commands.
- JWhit10111 days ago
Bronze II
Hi GusC,
Apologies if I am misunderstanding the question, or stating things you already know...
Test.jsp is the file you write to the file system using the vulnerable method(I used Burpe suite to intercept/modify/repeat the post command). I was receiving a database backup failed error 2 message, but the exploit had still worked and test.jsp was created.
I was more comfortable with using the browser over curl, so if you use the exact string in the briefing to create test.jsp, then the search parameter "?cmd=whoami" should return you a proper response. Any system command that accepts no parameters should give you some output (ex: attrib, fsutil, or help).
The problem is that you want to use cmd.exe (not to be confused with "?cmd=") and pass it a set of parameters. This is why the split needs to be added when creating the test.jsp. See the marked solution for the details about the split and how to format your query parameter.
Hope that helps.
J
- Bluesman10 days ago
Bronze III
Hi GusC
JWhit101 nails it!.
Once you have test.jsp file on the server you have to *call it* (you can use any web browser to do it) and provide certain parameters in the appropriate path!. Remember: the *goal* of the lab is to read the contents of a specific file on a Windows machine.
The key is: how would you do it, via cmd, and *without* closing the command line?. You have all the answers in this thread :).
Good luck!