Forum Discussion
Bronze IIWeb App Hacking (Lab series): CVE-2022-2143 (iView2)
Bluesman, I have been able to get this working with the help of support. Although the lab specifically provides the exploit to use in the payload, it does not appear to be accurate. (Even any additional articles/examples I found from y4er or others do not seem to include this)
The key is that the exploit payload must include the split command to extract the arguments that are comma separated. So {99,109,100})).split(\",\")).start(). This explains why a command like whoami, or some others that don't require arguments work fine, and why the error that we continued to get indicating "cmd,/c,xxxxxx" command not found seemed to be interpreted as the single name of a command.
Once you include this split in the payload, I think you will have luck with just comma separating the arguments discussed earlier. !!Don't forget to URL encode that space in type C:\token.txt!!
I hope that sheds a little light and helps you through this one!
J
Bronze IIII'm confused by this one.
should most things be done by command line\curl?
Should I be looking at IP:8080/webapps/iview3/test.jsp to see results from curl commands?
- I'm not even getting the results of whoami when I try that. I thought Id get to that point before messing with the fiddly split commands.
Bronze IIIHi GusC
JWhit101 nails it!.
Once you have test.jsp file on the server you have to *call it* (you can use any web browser to do it) and provide certain parameters in the appropriate path!. Remember: the *goal* of the lab is to read the contents of a specific file on a Windows machine.
The key is: how would you do it, via cmd, and *without* closing the command line?. You have all the answers in this thread :).
Good luck!
