This Metasploit module exploits a vulnerability found in ZPanel's htpasswd module. When creating .htaccess using the htpasswd module, the username field can be used to inject system commands, which is passed on to a system() function for executing the system's htpasswd's command. Please note: In order to use this module, you must have a valid account to login to ZPanel. An account part of any of the default groups should suffice, such as: Administrators, Resellers, or Users (Clients). By default, there's already a 'zadmin' user, but the password is randomly generated.
b0c8395da4e46b664fc003dfc79c486c7be07dfe55feabb0ac541c4e867a7236
ZPanel version 10.0.0.2 suffers from a remote root command execution vulnerability.
a30a5948320c316bd884408d4f9e6e18b520ce906e9bb8f59bc103d82a9b44d4