CVE-2024-51567 PoC — CyberPanel 安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-51567.yaml

Associated Vulnerability

Title:CyberPanel 安全漏洞 (CVE-2024-51567)
Description:CyberPanel是Usman Nasir个人开发者的一款内置了DNS和电子邮件服务器的虚拟主机控制面板。 CyberPanel存在安全漏洞，该漏洞源于databases/views.py 中的 upgrademysqlstatus 允许远程攻击者绕过身份验证并通过 /dataBases/upgrademysqlstatus 执行任意命令。

Description

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

File Snapshot


 id: CVE-2024-51567

info:
  name: CyberPanel v2.3.6 Pre-Auth Remote Code Execution
  author: Dhiyane

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!