Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-45467 PoC — CWP Panel 代码注入漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-45467.yaml
Associated Vulnerability
Title:CWP Panel 代码注入漏洞 (CVE-2021-45467)
Description:CWP Panel是CWP公司的一个现代和先进的 Linux 控制面板。适用于网络托管服务提供商和系统管理员。 CWP Panel el8-latest 存在代码注入漏洞,该漏洞可能允许远程攻击者在受影响的系统上执行任意代码。
Description
In CWP (Control Web Panel, previously CentOS Web Panel) before version 0.9.8.1107, an unauthenticated attacker can abuse null byte (%00) injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be exploited by using multiple %00 sequences to traverse directories via crafted requests such as /user/loader.php?api=1&scripts=.%00./.%00./api/account_new_create&acc=guadaapi, or similar payloads with more %00 instances (e.g., .%00%00%00./.%00%00%00./api/account_new_create). Attackers may use this flaw for arbitrary file access, privilege escalation, or remote code execution.
File Snapshot

 id: CVE-2021-45467

info:
  name: Control Web Panel (CWP) - File Inclusion
  author: ritikchaddha
  

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.