Calling a wrapper (privilege escalation) from PHP since cPanel 11.38

[tizoo]

Hi all,

I tried to make the example *PrivEscExample.tar.gz* to work but I cannot find how to call the Namespace/module/function from PHP.

For short, how to translate this call in PHP :

my $result = Cpanel::Wrap::send_cpwrapd_request(
        'namespace' => 'MyNamespace',
        'module'    => 'MyExample',
        'function'  => 'ECHO',
        'data'      => 'Hello World !'
    );

Before cPanel 11.38, something like the following code would have worked :

$this->cpanel = new CPANEL();
$param['data'] = 'Hello World!';
$res = $this->cpanel->api2('MyExample', 'ECHO', $param);

But now it didn't work anymore as it try to load a module which is not present anymore.

I tried the following which seems to me a good candidate :

$param['namespace'] = 'MyNamespace';
$param['module'] = 'MyExample';
$param['function'] = 'ECHO';
$param['data'] = 'Hello World!';
$res = $this->cpanel->api2('Wrap', 'send_cpwrapd_request', $param);

But it seems that the "Wrap" module lacks the function "send_cpwrapd_request".

As I didn't find any documentation explaining how to access the wrapper function from PHP, could someone from cPanel staff give me some hints or point me to the explanations that I missed.

Thanks in advance.

Cheers,
Philipppe

 

[tizoo]

Hi all,

In fact it seems that it is not possible to make the same call with PHP as the documentation tell how to make it with Perl.

We finally stay with the old way that generate the following error for each call :

error_log:cpwrapd: falling back to using legacy adminbin: /usr/local/cpanel/bin/tzbmadmin

Cheers,
Philippe

 

[Mrg]

We read https://documentation.cpanel.net/di...+Privilege+Escalation+-+Call+Your+Application

With myexample.live.pl we can do priv escalation:

my $result = Cpanel::Wrap::send_cpwrapd_request(
'namespace' => 'MyNamespace',
'module' => 'MyExample',
'function' => $thing_to_do,
'data' => $string_to_mess_with
);


But how can we call our /usr/local/cpanel/bin/admin/MyNamespace/MyExample with PHP Plugin f.e. in myexample.live.php ?

<?php
require_once "/usr/local/cpanel/php/cpanel.php";
$cpanel = &new CPANEL();
$get = $cpanel->uapi(
//how can we call Cpanel::Wrap::send_cpwrapd_request ?
);

 

[Mrg]

Hello, same problem.
How can we reach this? How do you call the priv. escal. wrapper?

 

[cPanelMichael]

Hello,

I've merged your posts into this thread, as there's no need to post the same question to multiple threads.

Thank you.

 

[cPanelMichael]

Hello,

Here's the response to the associated support ticket for this issue from David N:

Hello,

Thanks for contacting us. The way cpwrap is written, the only language that can interface with it is Perl. However, it's possible (and not very difficult) to write a thin custom UAPI module with a call (or calls) that wraps your cpwrap call. Your LiveAPI page will then use $cpanel->uapi to invoke the custom UAPI call you've written. I recommend reading over the custom UAPI modules documentation if you haven't already:

http://documentation.cpanel.net/display/SDK/UAPI+-+Custom+UAPI+Modules

If you have any more questions about this, please don't hesitate to ask.

Thank you.

 

[tizoo]

Hi Mrg,

We do exactely as cPanelMichael tell you :

1) Created a custom module (TZBM.pm)
2) Installed the custom module in /usr/local/cpanel/Cpanel/
3) Call it from PHP with something like :

$cpanel->api2('TZBM', 'genmailboxlistfile', $param);

Hope this help.

Cheers,
Philippe