cbcvebase.
CVE-2020-10230
published 2020-03-16

CVE-2020-10230: CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.67%
96.2th percentile
CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a' AND (SELECT 1197 FROM(SELECT COUNT(*),CONCAT(0x716b6a7171,(SELECT (ELT(1197=1197,1))),0x71707a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aRuO
urlhttps://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a' OR SLEEP(5)-- JCpP
path/cwp_{SESSION_HASH}/admin/loader_ajax.php
port2031
commandterm=a' AND (SELECT 1197 FROM(SELECT COUNT(*),CONCAT(0x716b6a7171,(SELECT (ELT(1197=1197,1))),0x71707a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aRuO
commandterm=a' OR SLEEP(5)-- JCpP
  • Monitor HTTP requests to the CWP admin endpoint /cwp_*/admin/loader_ajax.php on port 2031 for SQL injection patterns in the 'term' query parameter, including single quotes, SLEEP(), CONCAT(), and FLOOR(RAND()) constructs.
  • Detect error-based SQL injection attempts using the magic constant 0x716b6a7171 and 0x71707a7671 hex strings in request parameters targeting CWP.
  • Detect time-based blind SQL injection attempts using OR SLEEP(5) in the 'term' parameter of loader_ajax.php requests, which will cause observable response delays.
  • The attack targets the ajax=dashboard&action=searchIn action on the CWP admin panel; alert on these specific query string parameters combined with SQL metacharacters in 'term'.
  • ·The vulnerable path includes a dynamic SESSION_HASH component (/cwp_{SESSION_HASH}/admin/loader_ajax.php), so detection rules must use wildcard/regex matching on the path rather than exact string matching.
  • ·The exploit affects both CentOS 6 and CentOS 7 versions of CWP (v6 and v7); detection coverage should not be scoped to a single OS version.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.