CVE-2013-2097
published 2020-02-12CVE-2013-2097: ZPanel through 10.1.0 has Remote Command Execution
PriorityP259high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
26.05%
97.7th percentile
ZPanel through 10.1.0 has Remote Command Execution
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zpanel | zpanel | — | — |
| zpanel_project | zpanel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal attempts targeting pChart2 examples endpoint with 'Action=View&Script=../../../../cnf/db.php' to read ZPanel's database credentials file. ↗
- →Monitor for unauthenticated GET requests to /etc/lib/pChart2/examples/index.php with a 'Script' parameter containing directory traversal sequences (../). ↗
- →Alert on POST requests to /etc/apps/phpmyadmin/import.php containing 'SELECT ... INTO OUTFILE' SQL targeting the /etc/zpanel/panel/ web root directory. ↗
- →Detect the X-Requested-With: XMLHttpRequest header combined with SQL OUTFILE injection in POST body to phpMyAdmin import endpoint. ↗
- →Detect template files (master.ztml or *.ztml) uploaded by reseller accounts containing PHP execution constructs, as the templateparser eval() will execute injected PHP code. ↗
- →Monitor for pChart 2.x response body in HTTP responses from the ZPanel pChart examples endpoint, confirming a vulnerable version is exposed. ↗
- ·The exploit's default TARGETURI is '/zpanel'; installations may differ, requiring path adjustment for detection rules. ↗
- ·The attack chain requires the pChart vulnerability (EDB-31173) to be present and exploitable first before RCE is achieved; detection of the traversal step is the earliest indicator. ↗
- ·The templateparser RCE vector (EDB-25519) is accessible to any reseller account, not just administrators, broadening the attack surface. ↗
- ·A local privilege escalation binary 'zsudo' is present on ZPanel systems and can be leveraged post-RCE to achieve root; the Metasploit module references a separate local exploit for this step. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Zpanel - Remote Code Execution (Metasploit)
exploitdb·2015-10-21
CVE-2013-2097 Zpanel - Remote Code Execution (Metasploit)
Zpanel - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/php_exe'
require 'nokogiri'
require 'uri'
class Metasploit3 'Zpanel Remote Unauthenticated RCE',
'Description' => %q{
This module exploits an information disclosure vulnerability
in Zpanel. The vulnerability is due to a vulnerable version
of pChart used by ZPanel that allows unauthenticated users to read
arbitrary files remotely on the file system. This particular module
utilizes this vulnerability to identify the username/password
combination of the MySQL instance. With the
credentials the attackers can login to PHPMyAdmin and execute
SQL commands to drop a m
Exploit-DB
ZPanel - 'templateparser.class.php' Crafted Template Remote Command Execution
exploitdb·2013-04-16
CVE-2013-2097 ZPanel - 'templateparser.class.php' Crafted Template Remote Command Execution
ZPanel - 'templateparser.class.php' Crafted Template Remote Command Execution
---
Hi all,
There's an arbitrary (PHP) code execution in ZPanel, a free and
open-source shared hosting control panel. Using the included zsudo
binary, access can be escalated and commands can be run as root.
The vulnerability: ZPanel uses a poor "templater" system that
basically consists of a few str_replace calls and an eval... and as
could be expected from something like this, it does a very poor job at
preventing malicious code. The relevant code can be seen here:
https://github.com/bobsta63/zpanelx/blob/master/dryden/ui/templateparser.class.php
(note the poor attempt at stripping out tags).
By effectively injecting the replacement that occurs in line 71, one
can run arbitrary PHP code. When combined with
Metasploit
Zpanel Remote Unauthenticated RCE
metasploit
Zpanel Remote Unauthenticated RCE
Zpanel Remote Unauthenticated RCE
This module exploits an information disclosure vulnerability in ZPanel. The vulnerability is due to a vulnerable version of pChart used by ZPanel that allows unauthenticated users to read arbitrary files remotely on the file system. This particular module utilizes this vulnerability to identify the username/password combination of the MySQL instance. With the credentials the attackers can login to PHPMyAdmin and execute SQL commands to drop a malicious payload on the filesystem and call it leading to remote code execution.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/134030/Zpanel-10.1.0-Remote-Unauthenticated-Code-Execution.htmlhttp://www.exploit-db.com/exploits/25519http://www.openwall.com/lists/oss-security/2013/05/16/12http://www.openwall.com/lists/oss-security/2013/05/16/16https://exchange.xforce.ibmcloud.com/vulnerabilities/84364http://packetstormsecurity.com/files/134030/Zpanel-10.1.0-Remote-Unauthenticated-Code-Execution.htmlhttp://www.exploit-db.com/exploits/25519http://www.openwall.com/lists/oss-security/2013/05/16/12http://www.openwall.com/lists/oss-security/2013/05/16/16https://exchange.xforce.ibmcloud.com/vulnerabilities/84364
2020-02-12
Published