CVE-2024-51567 is a Python proof-of-concept (PoC) exploit script for CVE-2024-51567, a critical command injection vulnerability affecting CyberPanel v2.3.6. This vulnerability, found in the upgrademysqlstatus
endpoint, enables remote command execution (RCE) by bypassing CSRF protections and utilizing shell metacharacters in specific parameters.
⚠️ Important Disclaimer: This script is intended for educational purposes and authorized security testing on systems you own or have explicit permission to test. Unauthorized use of this script on any system is illegal and punishable by law. The author assumes no responsibility for misuse. Always adhere to ethical standards and applicable laws.
- Vulnerability Overview
- Features
- Prerequisites
- Installation
- Usage
- Code Structure
- Error Handling and Debugging
- References
- CVE ID: CVE-2024-51567
- Vulnerability Type: Command Injection / CSRF Bypass
- Affected Software: CyberPanel through versions 2.3.6 and 2.3.7 (unpatched)
- Description: The
upgrademysqlstatus
endpoint indatabases/views.py
of CyberPanel (prior to commit5b08cd6
) allows remote attackers to execute arbitrary commands by bypassingsecMiddleware
protections, which only filter POST requests. This vulnerability can be exploited using shell metacharacters in thestatusfile
parameter. - Exploitation in the Wild: Exploited by PSAUX in October 2024.
- Retrieves the CSRF token from the target server to authenticate requests
- Creates and sends a specially crafted payload to bypass CSRF protections
- Executes remote commands on a vulnerable CyberPanel server through the
/dataBases/upgrademysqlstatus
endpoint - Supports exploitation of both single and multiple targets
- Interactive command execution mode, allowing repeated command input until the user exits
- Provides an error message if the CSRF token is missing or invalid
- Python 3
httpx
module
- Clone the repository:
git clone https://github.com/ajayalf/CVE-2024-51567.git cd CVE-2024-51567
- Install dependencies:
Ensure
httpx
is installed:pip install httpx
To run the script on a single target, use the following command:
python CVE-2024-51567.py <target-url>
Example:
python CVE-2024-51567.py http://example.com
To run the script on multiple targets, create a text file with a list of target URLs (one URL per line), and use the command:
python CVE-2024-51567.py <targets.txt>
Example:
python CVE-2024-51567.py targets.txt
If you want to use multiple targets, create a text file named targets.txt
or any preferred name. The format of the file should be a list of URLs, with one URL per line, as shown below:
http://target1.com
http://target2.com
http://target3.com
After the script connects to a target, you can enter shell commands to execute on the target server. To exit, type exit
or quit
.
-
get_CSRF_token(client): Retrieves the CSRF token from cookies on the target's main page.
- Input:
client
(anhttpx.Client
object) - Output: The CSRF token value, or an error if not found.
- Input:
-
pwn(client, CSRF_token, cmd): Sends a crafted payload with the CSRF token and the desired command.
- Input:
client
(anhttpx.Client
object),CSRF_token
(string),cmd
(string) - Output: Status of the request or "Error".
- Input:
-
exploit(client, cmd): Executes the
pwn
function on the target to run the command and prints the output.- Input:
client
(anhttpx.Client
object),cmd
(string)
- Input:
-
run_exploit(target): Initializes a connection to the target and starts an interactive command loop.
- Input:
target
(string, target URL) - Process: Receives user commands until the user types
exit
orquit
.
- Input:
-
Main Execution: Checks the argument to determine if the target is a single URL or a file with multiple targets.
- If a file is provided, it reads and executes on each target in the list.
- If a URL is provided, it runs a single target.
If the CSRF token is not found in the cookies, the script will print all received cookies and exit with a helpful error message.
- "Error: CSRF token not found in cookies.": This indicates that the CSRF token was not found in the response cookies from the target server. Solutions:
- Verify that the server sends a CSRF token in the cookies.
- Ensure that
/
is the correct endpoint for obtaining the CSRF token. If it is different, modify the functionget_CSRF_token
accordingly.
For further information regarding this vulnerability, please refer to the following resources: